New Workbook: Hybrid Attack Kill-Chain Hunting Across Cloud and On-Prem Identity

What Changed

A new workbook — Hybrid Attack — Cloud & Identity Kill-Chain (Preview) — has been registered in WorkbooksMetadata.json along with dark/light preview images. The workbook is authored by Microsoft and targets behavior-led hunting across a full hybrid identity attack chain.

Detection Surface

The workbook maps to 7 sequential MITRE ATT&CK phases:

1. Initial Access
2. Lateral Movement
3. Persistence
4. Discovery
5. Defense Evasion
6. Credential Access
7. Exfiltration

Each tile correlates signals across Entra ID (cloud), Azure platform, on-premises Active Directory, and Microsoft Defender XDR — suited for detecting multi-stage attacks that pivot between cloud and on-prem identity planes.

Data Sources Required

The workbook declares dependencies on the following tables:

Required connectors include Microsoft Entra ID, Azure Activity, Microsoft Defender XDR (MicrosoftThreatProtection), Microsoft Defender Threat Intelligence, Microsoft Cloud App Security, and CEF/AMA.

Operational Note

This PR registers only the workbook metadata and preview images — the actual workbook template (HybridAttack-Cloud&Identity.json) must already be present or is being deployed separately. Environments missing one or more of the 22 required data sources will have incomplete tile coverage. Prioritise ensuring AADNonInteractiveUserSignInLogs, IdentityInfo, and BehaviorAnalytics are populated, as these are central to cross-environment correlation.

Affected Files

Workbooks/Images/Preview/HybridAttack-Cloud&IdentityBlack.png
Workbooks/Images/Preview/HybridAttack-Cloud&IdentityWhite.png
Workbooks/WorkbooksMetadata.json