ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Sentinel • KQL • Session Hijacking

The Logs Already Knew

Nothing looked wrong. No high severity alerts. No incidents. Just another quiet day in Microsoft Sentinel… until one successful sign-in raised the real question: what doesn’t fit the pattern?

Discuss your environment Back to briefings
Agent Foskett Friday Cyber Briefings
Briefing summary

The data was already there. Sentinel didn’t fail. The sign-in looked valid on paper, but deeper hunting across Microsoft security signals exposed impossible travel, token reuse and quiet session hijacking.

Successful sign-in with no alert
Impossible travel across regions
Stolen token moving quietly

What happened

No panic. No incident. Just one sign-in that did not feel right.
Everything looked normal Successful sign-in. Normal location on paper. No alert triggered. Exactly the kind of event most teams would scroll straight past.
The better question Attackers do not always break in loudly. They blend in. So instead of asking, “Do I have any alerts?” we asked, “What doesn’t fit the pattern?”
The hidden clue One sign-in log was enough to start pulling the thread. Quiet telemetry often tells the real story long before a formal alert does.

The KQL that changed everything

The evidence was already inside the logs. It just needed the right question.
SigninLogs
| where ResultType == 0
| extend
    Country = tostring(LocationDetails.countryOrRegion),
    City = tostring(LocationDetails.city),
    AuthRequirement = tostring(AuthenticationRequirement),
    MFA = tostring(MfaDetail.authMethod),
    SessionId = tostring(CorrelationId)
| summarize
    SignInCount = count(),
    Countries = make_set(Country),
    Cities = make_set(City),
    IPAddresses = make_set(IPAddress),
    AuthRequirements = make_set(AuthRequirement),
    MFAMethods = make_set(MFA),
    SessionIds = make_set(SessionId)
  by UserPrincipalName, bin(TimeGenerated, 1d)
| where array_length(Countries) > 1
What it revealed Same user. Same day. Multiple locations. Australia to Europe to Asia. Impossible travel with no incident created.
No alert fired Risk-based detection did not trigger because everything looked valid. That is exactly why quiet compromise can sit beneath the surface.
The pattern was there Sentinel had the evidence. The outcome changed only because someone asked a hunting question instead of waiting for a severity label.

Agent Foskett moment

Once we pulled the thread, the story became obvious.
Defender Same device was showing PowerShell activity. Endpoint behaviour added context that the original sign-in log did not show on its own.
Entra ID Token reuse patterns started to emerge. The identity layer exposed behaviour that should not have been happening under a normal session.
Back in Sentinel More sign-ins appeared with slightly different IPs but the same session fingerprint and token trail. That was the giveaway.
What it was not No brute force. No password spray. No loud, obvious attack sequence that would have made the case easy.
What it actually was Session hijacking. A stolen token. Quiet movement under the radar using valid-looking access that blended into normal telemetry.
Why it matters If you are relying only on alerts, this kind of activity can sit in plain sight while looking completely valid to automated logic.

What most environments miss

Sentinel did not fail. The investigation question was missing.
The data was there The evidence was complete. The signals were connected. The telemetry already contained the answer before any incident was formally raised.
The real power Defender gives endpoint behaviour. Entra ID gives identity truth. Sentinel gives correlation and visibility. Hunting joins them together.
The missing skill Most environments do not need more tools. They need better questions, better interpretation and someone who knows how to hunt for the pattern behind the alert.
The danger is not always the alert you missed.
It is the pattern you never looked for.
Contact GEMXIT

Final thought

If you are relying on alerts alone, you are already late.
At GEMXIT We do not just wait for alerts. We hunt. We interpret the telemetry, connect the evidence and act before quiet compromise turns into something bigger.
Agent Foskett mindset Do not just ask what fired. Ask what fits, what changed, what repeated, and what should not be there in the first place.
Develop IT. Protect IT. GEMXIT PTY LTD 🇦🇺 | GEMXIT UK LTD 🇬🇧
ACSC Logo  GEMXIT PTY LTD   GEMXIT UK LTD   © GEMXIT 2026

Agent Foskett The Logs Already Knew

This Agent Foskett cyber briefing shows how Microsoft Sentinel, KQL, Defender and Entra ID exposed impossible travel, token reuse and session hijacking in a real-world investigation.

It highlights the importance of threat hunting, asking better questions of the data and not relying on alerts alone.