Hunting Playbook: Risky Sign-ins in Microsoft Defender XDR.
The sign-in succeeded.
The password was correct. MFA may have passed. The user reached Microsoft 365.
But Microsoft still marked the activity as risky.
Agent Foskett knew the alert was not the whole investigation. Risky sign-ins must be tested against identity telemetry, user behaviour, IP addresses, device context and the timeline before defenders decide whether the account is genuinely compromised.
Lesson overview
Learn how to investigate risky sign-ins by correlating Microsoft Defender XDR, Microsoft Entra ID identity telemetry, risk signals, authentication patterns, IP addresses and user behaviour.
Why risky sign-ins matter
The risky sign-in hunting workflow
Step 1 — Review recent risky sign-ins
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 7d;
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("risk", "suspicious", "unfamiliar", "failed", "success")
| project Timestamp,
AccountUpn,
ActionType,
IPAddress,
Location,
DeviceName,
FailureReason
| order by Timestamp descStep 2 — Build a user sign-in timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ UserToInvestigate
| project Timestamp,
AccountUpn,
ActionType,
IPAddress,
Location,
DeviceName,
FailureReason
| order by Timestamp ascStep 3 — Summarise countries and IP addresses
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let TimeFrame = 14d;
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| summarize SignInCount = count(),
Countries = make_set(Location, 20),
IPAddresses = make_set(IPAddress, 50),
Devices = make_set(DeviceName, 20),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountUpn
| order by SignInCount descStep 4 — Find users with multiple sign-in locations
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 24h;
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| summarize Locations = make_set(Location, 20),
IPAddresses = make_set(IPAddress, 50),
DeviceNames = make_set(DeviceName, 20),
SignInCount = count(),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountUpn
| where array_length(Locations) > 1
| order by SignInCount descStep 5 — Look for suspicious success after failures
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 7d;
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| summarize FailedAttempts = countif(ActionType has "Failed"),
SuccessfulAttempts = countif(ActionType has "Success"),
IPAddresses = make_set(IPAddress, 50),
Locations = make_set(Location, 20),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountUpn
| where FailedAttempts > 5 and SuccessfulAttempts > 0
| order by FailedAttempts descStep 6 — Correlate risky sign-ins with alerts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
let TimeFrame = 7d;
let RiskyUsers =
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("risk", "suspicious", "unfamiliar")
| distinct AccountUpn;
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where AccountName in~ (RiskyUsers)
| project Timestamp,
AlertId,
AccountName,
EntityType,
EvidenceRole,
DeviceName,
RemoteIP
| order by Timestamp descCommon risky sign-in investigation clues
False positives to consider
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Hunting Playbook Risky Sign-ins in Microsoft Defender XDR
Agent Foskett Academy Lesson 108 teaches defenders how to investigate risky sign-ins using Microsoft Defender XDR, Microsoft Entra ID, identity telemetry, authentication behaviour, risk detections and KQL hunting workflows.
Learn risky sign-in hunting with KQL and Microsoft Defender XDR
Risky sign-in investigations help Microsoft security analysts validate suspicious authentication events, review locations, IP addresses, device context, MFA behaviour and post-authentication activity.
Microsoft Entra ID risky sign-in investigation tutorial
This lesson explains how to hunt for risky sign-ins, suspicious successful access, failed authentication patterns, unusual locations and identity risk signals using Microsoft security telemetry.
