Microsoft Entra ID: Sign-in Detection Blind Spot for Disabled Accounts Closed Across Commercial and Government Tenants

The SigninAttemptsByIPviaDisabledAccounts Analytic Rule was silently missing sign-in attempts that returned the shorter ResultDescription variant “The user account is disabled.” - meaning brute-force attempts against disabled accounts from a given IP were going undetected in affected tenants. Read More →

Microsoft Entra ID Assets: EntraEligibleMembers Table Pulled Before GA

The EntraEligibleMembers (Preview) table added in v3.3.0 has been removed in this hotfix, eliminating that data source from the connector definition until a stable release. Read More →

Entra ID Brute-Force Detection: Sort Order Fix Corrects Anomaly Decomposition Input

The BruteForceAgainstanEntraAuthenticatedWindowsDevice Analytic Rule was building unsorted time-series arrays for series_decompose_anomalies, meaning anomaly detection results could be incorrect or inconsistent across executions – this fix enforces chronological ordering and stable serialization before make_list. Read More →

Microsoft Entra ID Assets Connector: EntraEligibleMembers Table Added (Preview)

The Microsoft Entra ID Assets connector gains a new EntraEligibleMembers table checkbox in the portal, expanding Privileged Identity Management (PIM) visibility for eligible role assignment tracking. Read More →

New Workbook: Hybrid Attack Kill-Chain Hunting Across Cloud and On-Prem Identity

A new behavior-led hunting workbook registers in Microsoft Sentinel covering end-to-end hybrid identity attack scenarios across 7 MITRE ATT&CK phases, correlating signals from Entra ID, Azure, on-prem AD, and Defender XDR. Read More →

New Solution: Hybrid Attack Chain Hunting Across On-Premises, Cloud, and Kubernetes

A new Microsoft Sentinel Solution ships 55+ multi-stage hunting queries designed to detect attacker pivots across on-premises identity, Azure control plane, Kubernetes, and Microsoft Entra ID – covering full kill chains that individual, single-source detections routinely miss. Read More →

Microsoft Entra ID Assets Connector Gains Owner and Sponsor Relationship Tables

Two new identity graph tables – EntraOwners and EntraSponsors – are now available in the Microsoft Entra ID Assets connector, expanding the identity relationship data surface for investigating account takeover and privilege escalation paths. Read More →

New eDCRule Solution: 10 Entra ID and Azure Subscription Analytic Rules for Privilege Escalation and Identity Abuse Detection

A new community solution adds 10 scheduled Analytic Rules (plus Chinese-localized counterparts) targeting Microsoft Entra ID privilege escalation, OAuth token abuse, federation trust tampering, and Azure VM Run Command abuse correlated with UEBA signals. Read More →

Microsoft Agent Identities Connector: New Entra Non-Human Identity Asset Visibility (Preview)

Agent 365 solution adds new Microsoft Agent Identities connector for tracking agent blueprints and non-human identity assets across four data tables. Read More →

Entra ID Post-Credential Activity Detection: Service Principal Staging and Privileged Role Escalation

Three new hunting queries target Midnight Blizzard-style persistence patterns — service principal credential staging, privileged role assignments to new accounts, and Temporary Access Pass abuse. Read More →

Entra ID Identity Boundary Expansion: Three New Hunting Queries for Stealthy Persistence

Added three hunting queries targeting identity boundary expansion techniques in Entra ID that escalate privileges without creating new accounts. Read More →

Entra ID Authentication Anomalies: Advanced Hunting for Privilege Abuse and Defense Evasion

Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations. Read More →

Entra ID Account Takeover: Three-Query Hunting Pack for Post-Compromise Detection

Adds hunting pack targeting device code phishing, service principal persistence, and bulk password resets by privileged actors. Read More →

Microsoft Entra ID OAuth Consent Query: Fixing Zero-Result Bug in High-Risk Permission Detection

Corrects broken hunting query that returned no results due to incorrect property name filter. Read More →

Entra ID Attack Chain Correlation: Three New Hunting Queries for Sequential Compromise Patterns

Three hunting queries detect multi-event attack chains in Entra ID—privileged role grants followed by SP credential additions and MFA disabling followed by sign-ins from unknown IPs. Read More →

Entra ID Hunting Pack: Defense Weakening and Privilege Abuse Detection

Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments. Read More →

Entra ID Workload Identity and Privileged Role Hunting Pack: Three New Detection Queries

New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques. Read More →

Entra ID Cross-Source Hunting Pack: Post-Compromise Pattern Detection

Three new hunting queries correlate AuditLogs and SigninLogs to surface post-compromise identity patterns using baseline-driven anomaly detection. Read More →

Microsoft Entra ID Table Rename: Hunting Queries Updated for Current Schema

12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references. Read More →

Entra ID Attack Chain Detection: 5 New Hunting Queries Target Application Layer Persistence

Five hunting queries expose OAuth consent abuse, privileged escalation, and Conditional Access evasion used in Midnight Blizzard and Storm-0558 campaigns. Read More →