Query Details

Successful device code sign-in

Successful Device Code Authentication

Query

IdentityLogonEvents 
| where ActionType == @"LogonSuccess"
| where LogonType == @"Cmsi:Cmsi"
| extend Application = tostring(parse_json(AdditionalFields).['ARG.CLOUD_SERVICE']),
         Country = geo_info_from_ip_address(IPAddress).country
| project-reorder Timestamp, AccountUpn, LogonType, ActionType, Application, IPAddress, Country

About this query

Explanation

This query is designed to identify successful sign-ins to an organization's Entra ID (formerly Azure Active Directory) using device code authentication. It specifically looks for logon events where the action type is "LogonSuccess" and the logon type is "Cmsi:Cmsi," which indicates device code authentication.

The query extracts additional information such as the application used for the sign-in and the country from which the sign-in originated, based on the IP address. This information is then organized in a specific order for easier analysis.

The query can be run in both Microsoft Defender XDR and Microsoft Sentinel environments, with slight differences in the timestamp field used for ordering the results.

It is important to note that if you are already ingesting AADSignInEventsBeta or SigninLogs, you should not use this query. Additionally, there is a potential for false positives from the Microsoft Authentication Broker application, which can be filtered out if necessary.

The query is relevant to the MITRE ATT&CK technique T1566.002, which involves phishing through spearphishing links. The risk associated with this query is that an adversary could potentially sign in to the organization using device code authentication, which could be part of a phishing campaign.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 21, 2025

Tables

IdentityLogonEvents

Keywords

IdentityLogonEventsApplicationCountryTimestampAccountUpnTypeActionIPAddress

Operators

IdentityLogonEventswhere==@"LogonSuccess"@"Cmsi:Cmsi"extendtostringparse_json['ARG.CLOUD_SERVICE']geo_info_from_ip_addresscountryproject-reorder

MITRE Techniques

Actions

GitHub