This detection rule identifies when a user utilizes the deviceCode protocol for the first time within a 14-day period. The device code authentication method, designed for keyboard-less devices, can pose security risks as it may be exploited for phishing attacks. Attackers could use this method to steal access tokens, thus allowing them to impersonate users. As such, monitoring for new instances of this authentication type is crucial for detecting potential account compromises early. Successful usage of the authentication method indicates the need for further investigation, especially if it arises unexpectedly or without context. If the deviceCode usage aligns with legitimate scenarios, appropriate policies and monitoring should be established to avoid false positive alerts based on normal operational behaviors.