This detection rule aims to identify potentially risky sign-in attempts made from non Active Directory (AD) registered devices that do not require multi-factor authentication (MFA). The rule monitors sign-in activity logged by Azure and specifically targets successful authentication events where only single-factor authentication is required. By analyzing the device details, if the device is determined to have an empty trust type yet flagged with a risk state of 'atRisk,' this indicates a suspicious behavior warranting an alert. The context of this detection is vital for organizations seeking to enhance their security posture against unauthorized access attempts, particularly in hybrid environments where device registration and management may vary. The purpose is to ensure that appropriate authentication requirements are in place to mitigate credential-based attacks.