Query Details

Detect device code login with user risk

Detect Device Code With User Risk

Query

union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultSignature =~ "SUCCESS"
| where AuthenticationProtocol =~ "deviceCode"
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName

About this query

Detect device code login with user risk

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1078.004Valid Accounts: Cloud Accountshttps://attack.mitre.org/techniques/T1078/004/

Description

Threat actors regularly use Device Code authentication to login into compromised accounts. Popular attacks for this are using device code phishing attacks for example. Even though every organization should block device code authentication in conditional access, you can create a fall-back detection rule to flag device code logins by risky users.

Risk

Detect attackers login into an account after a device code phishing attack.

Author <Optional>

References

Microsoft Sentinel

Explanation

This query is designed to detect potentially risky logins to cloud accounts using device code authentication, which is a method sometimes exploited by attackers through phishing attacks. Here's a simplified breakdown of what the query does:

  1. Data Sources: It combines data from two logs: SigninLogs and AADNonInteractiveUserSignInLogs. These logs contain records of sign-in activities.

  2. Time Frame: The query focuses on sign-in events that occurred within the last hour.

  3. Successful Logins: It filters for logins where the result was "SUCCESS", indicating that the login attempt was successful.

  4. Device Code Authentication: It specifically looks for logins that used the "deviceCode" authentication protocol, which is a method that can be targeted by attackers.

  5. User Risk Events: It joins this data with another set of logs, AADUserRiskEvents, which records risk events associated with user accounts over the past day.

  6. Purpose: By combining these datasets, the query identifies successful logins using device code authentication by users who have been flagged for risky behavior. This helps in detecting potential unauthorized access following a phishing attack.

Overall, this query is a security measure to identify and respond to suspicious login activities that could indicate a compromised account.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogsAADUserRiskEvents

Keywords

DevicesUserAuthenticationAccountsLogs

Operators

unionwhereago=~joinon

MITRE Techniques

Actions

GitHub