Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/deepthoughts10/statuses/114015134426236472">Brian Clark (deepthoughts10@infosec.exchange)'s status on Monday, 17-Feb-2025 06:38:34 JST</a><a href="https://infosec.exchange/@deepthoughts10" title="deepthoughts10@infosec.exchange"><img src="https://gnusocial.jp/avatar/116759-48-20240113200827.webp" width="48" height="48" alt="Brian Clark" style="position: absolute; left: 0; top: 0;">Brian Clark</a><div><ul><li></ul></div></section><article><p>If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the <a href="https://infosec.exchange/tags/KQL" rel="tag">#KQL</a> provided to hunt for abuse. </p><p><a href="https://infosec.exchange/tags/cybersecurity" rel="tag">#cybersecurity</a> <a href="https://infosec.exchange/tags/microsoft" rel="tag">#microsoft</a> </p><p>From: <a href="https://infosec.exchange/@fabian_bader">@fabian_bader</a><br><a href="https://infosec.exchange/@fabian_bader/114013896376345681" rel="nofollow">https://infosec.exchange/@fabian_bader/114013896376345681</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4577848#notice-8962188">In conversation</a><time datetime="2025-02-17T06:38:34+09:00" title="Monday, 17-Feb-2025 06:38:34 JST">about 9 days ago</time> <span>from <span><a href="https://infosec.exchange/@deepthoughts10/114015134426236472" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@deepthoughts10/114015134426236472">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://infosec.exchange/@fabian_bader/114013896376345681">Fabian Bader (@fabian_bader@infosec.exchange)</a></h5><div> from <span>Fabian Bader</span></div></header><div>Hunt for signins using device code flow, requesting the Device Registration Service and registering a new Entra ID device as the result#DeviceCodeFlow #Entra #Security #KQLhttps://github.com/f-bader/AzSentinelQueries/blob/master/Defender%20XDR/SignInWithDeviceCodeFlowFollowedByDeviceRegistration.md</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Brian Clark (deepthoughts10@infosec.exchange)'s status on Monday, 17-Feb-2025 06:38:34 JSTBrian Clark
- Fabian Bader
If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.
#cybersecurity #microsoft
From: @fabian_bader
https://infosec.exchange/@fabian_bader/114013896376345681
In conversationabout 9 days ago from infosec.exchangepermalink
Attachments
1. No result found on File_thumbnail lookup.
  Fabian Bader (@fabian_bader@infosec.exchange)
  from Fabian Bader
  Hunt for signins using device code flow, requesting the Device Registration Service and registering a new Entra ID device as the result #DeviceCodeFlow #Entra #Security #KQL https://github.com/f-bader/AzSentinelQueries/blob/master/Defender%20XDR/SignInWithDeviceCodeFlowFollowedByDeviceRegistration.md

Public

Embed Notice

HTML Code

Corresponding Notice