Query Details

Successful device code sign-in from unmanaged device

Successful Device Code Authentication Unmanaged Device

Query

AADSignInEventsBeta
// Filter only successful sign-ins
| where ErrorCode == 0
| where EndpointCall == "Cmsi:Cmsi"
// Filter on unmanaged devices
| where isempty(AadDeviceId)
// Optionally filter only on sign-ins with a risklevel associated with the sign-in
//| where RiskLevelDuringSignIn in(10, 50, 100)
| project-reorder TimeGenerated, AccountUpn, EndpointCall, ErrorCode, RiskLevelDuringSignIn, Application, ApplicationId, Country, IPAddress

About this query

Explanation

This query is designed to identify successful sign-ins to your organization's Entra ID (formerly Azure AD) using device code authentication from devices that are not managed by your organization. Essentially, it helps you spot instances where someone has logged in from an unmanaged device, which could be a security risk.

Here's a simplified breakdown:

  1. Purpose: The query aims to detect successful logins using device code authentication from unmanaged devices. This is important because such logins might indicate unauthorized access or a potential security threat.

  2. Context: The query is associated with a specific MITRE ATT&CK technique related to phishing, specifically spearphishing links. This suggests that the query is part of a broader effort to detect and mitigate phishing attacks.

  3. Risk: The main risk highlighted is that an adversary could successfully sign in to your organization using this method, potentially leading to unauthorized access to sensitive information.

  4. Query Details:

    • Defender XDR: This part of the query checks for successful sign-ins (where ErrorCode == 0) using a specific endpoint call (Cmsi:Cmsi) and filters out managed devices by checking if the AadDeviceId is empty.
    • Sentinel: Similarly, this part checks for successful sign-ins (ResultType == 0) using the deviceCode authentication protocol and filters out managed devices by checking if DeviceDetail.deviceId is empty.
  5. Optional Filters: Both queries allow for additional filtering based on the risk level during sign-in, which can help prioritize cases that might need more immediate attention.

  6. False Positives: The query notes that the Microsoft Authentication Broker application can generate false positives, so it suggests filtering out results related to this application to avoid unnecessary alerts.

Overall, this query is a tool for security teams to monitor and respond to potential unauthorized access attempts via unmanaged devices, helping to protect the organization's digital assets.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 19, 2025

Tables

AADSignInEventsBetaSigninLogs

Keywords

DevicesEntraIDSigninsManagementAPISentinelDefenderXDRMicrosoftAuthenticationBrokerApplicationRisk

Operators

AADSignInEventsBetaSigninLogswhereisemptyinproject-reorderextendtostring

MITRE Techniques

Actions

GitHub