Detect device code login with user risk
Detect Device Code With User Risk
Query
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultSignature =~ "SUCCESS"
| where AuthenticationProtocol =~ "deviceCode"
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalNameAbout this query
Detect device code login with user risk
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts | https://attack.mitre.org/techniques/T1078/004/ |
Description
Threat actors regularly use Device Code authentication to login into compromised accounts. Popular attacks for this are using device code phishing attacks for example. Even though every organization should block device code authentication in conditional access, you can create a fall-back detection rule to flag device code logins by risky users.
Risk
Detect attackers login into an account after a device code phishing attack.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Microsoft Sentinel
Explanation
This query is designed to detect potentially risky logins to cloud accounts using device code authentication, which is a method sometimes exploited by attackers through phishing attacks. Here's a simplified breakdown of what the query does:
-
Data Sources: It combines data from two logs:
SigninLogsandAADNonInteractiveUserSignInLogs. These logs contain records of sign-in activities. -
Time Frame: The query focuses on sign-in events that occurred within the last hour.
-
Successful Logins: It filters for logins where the result was "SUCCESS", indicating that the login attempt was successful.
-
Device Code Authentication: It specifically looks for logins that used the "deviceCode" authentication protocol, which is a method that can be targeted by attackers.
-
User Risk Events: It joins this data with another set of logs,
AADUserRiskEvents, which records risk events associated with user accounts over the past day. -
Purpose: By combining these datasets, the query identifies successful logins using device code authentication by users who have been flagged for risky behavior. This helps in detecting potential unauthorized access following a phishing attack.
Overall, this query is a security measure to identify and respond to suspicious login activities that could indicate a compromised account.
