Microsoft Entra ID Table Rename: Hunting Queries Updated for Current Schema

What Changed

Updated 12 hunting queries under Microsoft 365 Defender to use current Microsoft Entra ID table names. The changes replace deprecated AAD table references:

• AADSignInEventsBeta → EntraIdSignInEvents
• AADSpnSignInEventsBeta → EntraIdSpnSignInEvents
• Column name AadDeviceId → EntraIdDeviceId

Impact on Detection Coverage

This is a purely cosmetic update aligning with Microsoft’s rebranding from Azure Active Directory to Microsoft Entra ID. The underlying data sources and detection logic remain identical — no changes to query filters, thresholds, or MITRE technique coverage.

Updated hunting queries target phishing campaigns (T1566), malware execution (T1204), and Nobelium command-and-control infrastructure across:

• Device code phishing attempts
• QR code phishing campaigns
• Risky sign-ins from unmanaged devices
• Encoded domain detection for Nobelium TTPs

Operational Notes

Deployments using these hunting queries should see no functional changes. The table name updates ensure compatibility with current Microsoft Entra ID schema documentation and prevent confusion with legacy AAD terminology.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/EntraIdSignInEvents.json
.script/tests/KqlvalidationsTests/CustomTables/EntraIdSpnSignInEvents.json
Hunting Queries/Microsoft 365 Defender/Command and Control/EncodedDomainURL [Nobelium].yaml
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Malware/Email containing malware accessed on a unmanaged device.yaml
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/QR code/Risky sign-in attempt from a non-managed device.yaml
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml
Hunting Queries/Microsoft 365 Defender/Exfiltration/unusual-volume-of-file-sharing.yaml
Hunting Queries/Microsoft 365 Defender/Impact/unusual-volume-of-file-deletion.yaml
Hunting Queries/Microsoft 365 Defender/Persistence/AddedCredentialFromContryXAndSigninFromCountryY.yaml
Hunting Queries/Microsoft 365 Defender/Persistence/riskySignInToDeviceRegistration.yaml
Hunting Queries/Microsoft 365 Defender/Persistence/riskySignInToNewMFAMethod.yaml
Hunting Queries/Microsoft 365 Defender/Privilege escalation/riskySignInToElevateAccess.yaml