Microsoft 365 AiTM Defense
Sentinel detection, same session, two sources
When an attacker replays a stolen cookie, the same session ID shows up from two different IPs within …
Microsoft 365 AiTM Defense
Sentinel detection, suspicious sign-in plus persistence action
The highest-fidelity detection in this bundle. Catches the chain: dodgy sign-in, then within 2 hours a forwarding rule, …
Microsoft 365 Device Code Defense
Detecting device code phishing in Microsoft Sentinel, one field, one rule
Every successful device code sign-in writes `AuthenticationProtocol == deviceCode` to SigninLogs. Normal users almost never trigger this. The …