Microsoft 365 AiTM Defense
Sentinel detection, same session, two sources
When an attacker replays a stolen cookie, the same session ID shows up from two different IPs within …
Microsoft 365 AiTM Defense
Sentinel detection, sign-in from a hosting ASN
Real users sign in from residential ISPs and corporate networks. Attackers replaying cookies sign in from rented VPS. …
Microsoft 365 OAuth Consent Defense
Five Sentinel detections for OAuth consent attacks (with the KQL inline)
Suspicious consent grant, mass campaign, anomalous SP sign-in, post-consent credential addition, and Graph API mass read. Plus a …
Microsoft 365 Device Code Defense
Detecting device code phishing in Microsoft Sentinel, one field, one rule
Every successful device code sign-in writes `AuthenticationProtocol == deviceCode` to SigninLogs. Normal users almost never trigger this. The …