Entra QR Code Sign In KQL Detection
Query
// Entra QR Code Sign-In KQL Detection
AuditLogs
| where TimeGenerated > ago(1h)
| where Category == "UserManagement"
| where ActivityDisplayName == "Admin updated security info"
| where ResultDescription == "Admin changed QRcode Pin Authentication Method for user"Explanation
This query is designed to monitor recent changes to QR code authentication settings in an organization's security system. Specifically, it looks at audit logs from the past hour to identify instances where an administrator has updated a user's security information by changing the QR code PIN authentication method. The query filters the logs to show only those entries where the category is "UserManagement" and the activity is labeled as "Admin updated security info," with a result description indicating that the QR code PIN method was changed.
Details

Steven Lim
Released: February 6, 2025
Tables
AuditLogs
Keywords
AuditLogsTimeGeneratedCategoryActivityDisplayNameResultDescriptionUserAdminQRcodePinAuthenticationMethod
Operators
|where>==