This detection rule identifies successful login attempts using legacy authentication protocols in Azure. Legacy authentication methods are more susceptible to attacks such as credential stuffing and password spraying. The rule monitors login logs to detect instances where legacy authentication is employed. According to Microsoft's data, a significant majority of these attacks exploit such protocols, and disabling basic authentication can substantially reduce these vulnerabilities. If there is a legitimate need to use legacy authentication, exceptions should be recorded within the KNOWN_EXCEPTIONS list. The rule utilizes logs categorized as Azure.Audit to detect these sign-ins, outlining properties like the service principal name, user principal name, and the IP address involved in each login attempt.