KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Device Code With User Risk

Query

# *Detect device code login with user risk*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1078.004 | Valid Accounts: Cloud Accounts | https://attack.mitre.org/techniques/T1078/004/ |

#### Description
Threat actors regularly use Device Code authentication to login into compromised accounts. Popular attacks for this are using device code phishing attacks for example. Even though **every organization should block device code authentication in conditional access**, you can create a fall-back detection rule to flag device code logins by risky users. 

#### Risk
Detect attackers login into an account after a device code phishing attack.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/

## Microsoft Sentinel
```KQL
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultSignature =~ "SUCCESS"
| where AuthenticationProtocol =~ "deviceCode"
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName
```

Explanation

This query is designed to detect potentially risky logins to cloud accounts using device code authentication, which is a method sometimes exploited by attackers through phishing attacks. Here's a simplified breakdown of what the query does:

  1. Data Sources: It combines data from two logs: SigninLogs and AADNonInteractiveUserSignInLogs. These logs contain records of sign-in activities.

  2. Time Frame: The query focuses on sign-in events that occurred within the last hour.

  3. Successful Logins: It filters for logins where the result was "SUCCESS", indicating that the login attempt was successful.

  4. Device Code Authentication: It specifically looks for logins that used the "deviceCode" authentication protocol, which is a method that can be targeted by attackers.

  5. User Risk Events: It joins this data with another set of logs, AADUserRiskEvents, which records risk events associated with user accounts over the past day.

  6. Purpose: By combining these datasets, the query identifies successful logins using device code authentication by users who have been flagged for risky behavior. This helps in detecting potential unauthorized access following a phishing attack.

Overall, this query is a security measure to identify and respond to suspicious login activities that could indicate a compromised account.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogsAADUserRiskEvents

Keywords

DevicesUserAuthenticationAccountsLogs

Operators

unionwhereago=~joinon

Actions