Add hunting queries: Entra ID cross-source correlation hunting pack (3 queries)#14262
Merged
v-atulyadav merged 6 commits intoMay 19, 2026
Merged
Conversation
Correlates AuditLogs MFA registration events with a 30-day SigninLogs IP baseline per user. Flags registrations from IPs not previously observed for that user, covering attacker-controlled MFA enrollment after credential compromise. Covers T1556.006.
Correlates SigninLogs sign-ins from countries not in a user's 30-day baseline with sensitive AuditLogs operations within one hour. Surfaces the pattern of stolen-credential access from attacker location followed by immediate privilege escalation. Covers T1078.004 and T1098.
Flags actors who assign directory roles to three or more users within a ten-minute window, enriched with the actor's last sign-in country from SigninLogs. Rapid mass privilege grants are a known post-compromise persistence pattern. Covers T1098.003.
Start all descriptions with action verb per repo convention and reduce length to match existing hunting query style in the repo. No KQL or schema changes.
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds three new hunting queries for Entra ID cross-source correlation, focusing on post-compromise patterns by correlating AuditLogs and SigninLogs with baseline-based anomaly detection.
Changes:
- Adds query for MFA method registrations from IPs absent in user's 30-day sign-in baseline
- Adds query correlating new-country sign-ins with sensitive admin operations within 1 hour
- Adds query detecting bulk role assignments (≥3 in 10 minutes) by a single actor
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| Hunting Queries/MultipleDataSources/MFARegistrationFromUnseenIP.yaml | New hunt for MFA registration from previously unseen IPs |
| Hunting Queries/MultipleDataSources/SignInFromNewCountryWithSensitiveOperation.yaml | New hunt correlating geographic novelty with sensitive operations |
| Hunting Queries/MultipleDataSources/BulkRoleAssignmentsInShortWindow.yaml | New hunt for rapid bulk directory role assignments |
… InitiatedBy access
The 1-day AuditLogs stream (left side) is much smaller than the 30-day BaselineIPs aggregate (right side). Broadcasting the left table to all right-side partitions avoids an expensive shuffle join. Addresses Copilot review feedback on PR Azure#14262.
v-shukore
approved these changes
May 19, 2026
v-atulyadav
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds three hunting queries that correlate data across multiple Entra ID log sources to surface post-compromise patterns that are not visible from a single table. All three queries use baseline periods to reduce noise and focus on genuinely anomalous activity rather than broad event collection.
This bundle follows PR #14239 (merged) and PR #14240 (open), continuing the same thematic focus on Entra ID identity threat detection.
Queries included
1.
MFARegistrationFromUnseenIP.yamlCorrelates AuditLogs MFA registration events (User registered security info) with a 30-day per-user IP baseline from SigninLogs. Flags any MFA method enrollment from an IP address not previously observed in that user's successful sign-in history. An attacker who obtains credentials may register an attacker-controlled authenticator before the victim notices, establishing persistent MFA-backed access that survives a password reset. This query does not require Entra ID P2 licensing and complements HighRiskSignInAroundAuthMethodOrDeviceRegistration, which requires risk scores.
2.
SignInFromNewCountryWithSensitiveOperation.yamlCorrelates a successful sign-in from a country not observed in the user's 30-day baseline with a sensitive AuditLogs operation performed by the same user within one hour. Sensitive operations monitored include role member additions, application consent grants, service principal credential additions, application registrations, Conditional Access policy changes, domain authentication changes, and PIM activations. The narrow one-hour correlation window and country novelty baseline together produce a high-signal pattern consistent with stolen-credential access followed by immediate privilege abuse.
3.
BulkRoleAssignmentsInShortWindow.yamlFlags actors who assign directory roles to three or more users within a ten-minute window, enriched with the actor's most recent sign-in country from SigninLogs. Legitimate role administration is deliberate and individual. A high volume of rapid role assignments is consistent with automated post-compromise persistence where an attacker grants directory roles to multiple controlled accounts before remediation occurs. The threshold is parameterised and can be adjusted per environment.
Relationship to existing queries
DormantUserUpdateMFAandLogsIn.yaml- existing query targets dormant accounts with no recent sign-in. Query 1 here targets any active user registering MFA from a new IP, which is a different and complementary signal.HighRiskSignInAroundAuthMethodOrDeviceRegistration.yaml- requires Entra ID P2 risk scores. Query 1 here uses IP novelty and requires no P2 licensing.Testing
Queries were authored against the AuditLogs and SigninLogs schemas. KQL patterns and YAML structure follow the conventions of the existing MultipleDataSources hunting queries in this repository. All files were validated for non-ASCII characters before commit.