Device Code Sign-In

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Device Code Sign-In

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1550

# Description of what the query does and its purpose.
description: |
  Detects authentication events using the device code flow as identified by Microsoft Defender for Identity, where a user enters a code on a separate device to complete sign‑in. While commonly used for legitimate scenarios, this method can be abused by attackers to perform phishing‑based authentication or bypass traditional sign‑in monitoring

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor = "microsoft"
  |#event.dataset="defender-identity.IdentityLogonEvents"
  |Vendor.properties.LogonType ="Cmsi:Cmsi"
  |table([@timestamp,event.action,host.ip[0],host.os.name,host.type,user.name,Vendor.properties.AccountDisplayName,Vendor.properties.ISP])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Detects authentication events using the device code flow as identified by Microsoft Defender for Identity, where a user enters a code on a separate device to complete sign‑in. While commonly used for legitimate scenarios, this method can be abused by attackers to perform phishing‑based authentication or bypass traditional sign‑in monitoring