This detection rule targets potential unauthorized device registrations in Microsoft Entra ID via OAuth authentication. Adversaries might exploit OAuth phishing techniques to intercept an authorization code, which can be exchanged for access and refresh tokens, allowing for unauthorized access. The rule detects a specific sequence of events: a user principal authenticating through OAuth, then immediately registering a new device. This activity may indicate misuse of the OAuth flow to gain persistence or access resources that should not be available to the adversary. The detection logic is implemented through an EQL query that captures both the authorization and successful token exchange events, followed by the device registration action, analyzing these in relation to each user involved. It provides guidelines for investigation, including examining login source IPs, scrutinizing the new device added, investigating the user's account and sign-in history, and outlining response steps to manage the potential compromise effectively, such as revoking tokens and enforcing password resets.