Entra ID Cross-Source Hunting Pack: Post-Compromise Pattern Detection

May 19, 2026 · Microsoft Sentinel Changelog

Type Hunting Queries

Rating Medium

Action Update

View PR on GitHub

What Changed

Added three hunting queries to the MultipleDataSources folder that correlate Entra ID data sources to detect post-compromise identity abuse patterns:

MFARegistrationFromUnseenIP.yaml - Flags MFA method registrations from IP addresses absent in the user’s 30-day sign-in baseline
SignInFromNewCountryWithSensitiveOperation.yaml - Correlates sign-ins from new countries with sensitive operations within one hour
BulkRoleAssignmentsInShortWindow.yaml - Detects rapid role assignments by the same actor within a 10-minute window

Detection Logic

MFA Registration Query:

Primary data source: AuditLogs + SigninLogs
Core logic: Compares MFA registration source IPs against 30-day per-user sign-in IP baselines, flagging registrations from novel addresses
Entity types: Account, IP
Baseline period: 30 days of successful sign-ins

Country Correlation Query:

Primary data source: SigninLogs + AuditLogs
Core logic: Identifies sign-ins from countries absent in user’s 30-day baseline, then correlates with sensitive operations (role assignments, consent grants, credential additions) within 1 hour
Entity types: Account, IP
Correlation window: 1 hour post-sign-in

Bulk Role Assignment Query:

Primary data source: AuditLogs + SigninLogs
Core logic: Aggregates successful “Add member to role” operations by actor in 10-minute buckets, flags when threshold (≥3 assignments) is reached, enriches with actor’s most recent sign-in country
Entity types: Account, IP
Time window: 10-minute buckets with configurable threshold

MITRE Mapping

T1556.006 (Multi-factor Authentication) - MFA registration from novel IP addresses
T1078.004 (Valid Accounts: Cloud Accounts) - Sign-ins from new countries followed by privileged actions
T1098.003 (Account Manipulation: Additional Cloud Roles) - Bulk role assignment velocity patterns

Affected Files

Hunting Queries/MultipleDataSources/BulkRoleAssignmentsInShortWindow.yaml
Hunting Queries/MultipleDataSources/MFARegistrationFromUnseenIP.yaml
Hunting Queries/MultipleDataSources/SignInFromNewCountryWithSensitiveOperation.yaml