Microsoft 365 AiTM Defense
Sentinel detection, same session, two sources
When an attacker replays a stolen cookie, the same session ID shows up from two different IPs within …
LinkedIn AiTM Defense
Detecting LinkedIn AiTM, three queries and a Python monitor
SPL queries for credentials submitted to a non-LinkedIn domain, li_at replayed from a new ASN, and impossible travel …
Microsoft 365 OAuth Consent Defense
Five Sentinel detections for OAuth consent attacks (with the KQL inline)
Suspicious consent grant, mass campaign, anomalous SP sign-in, post-consent credential addition, and Graph API mass read. Plus a …
Gmail BitM Defense
Detecting BitM against Gmail, network signals, browser signals, and the Workspace audit query
RFB protocol handshake on a WebSocket. Canvas-rendered login pages with no password input in the DOM. Input lag …
Microsoft 365 Device Code Defense
Detecting device code phishing in Microsoft Sentinel, one field, one rule
Every successful device code sign-in writes `AuthenticationProtocol == deviceCode` to SigninLogs. Normal users almost never trigger this. The …