Sentinel • KQL • Session Hijacking

The Logs Already Knew

Nothing looked wrong. No high severity alerts. No incidents. Just another quiet day in Microsoft Sentinel… until one successful sign-in raised the real question: what doesn’t fit the pattern?

This is where Microsoft Sentinel and security operations visibility becomes critical — not just reacting to alerts, but understanding behaviour across logs.

Discuss your environment Back to briefings

Briefing summary

The data was already there. Sentinel didn’t fail. The sign-in looked valid on paper, but deeper hunting across Microsoft security signals exposed impossible travel, token reuse and quiet session hijacking.

Successful sign-in with no alert

Impossible travel across regions

Stolen token moving quietly

What happened

No panic. No incident. Just one sign-in that did not feel right.

Everything looked normal Successful sign-in. Normal location on paper. No alert triggered. Exactly the kind of event most teams would scroll straight past.

The better question Attackers do not always break in loudly. They blend in. So instead of asking, “Do I have any alerts?” we asked, “What doesn’t fit the pattern?”

Because even a “normal” sign-in can expose gaps in identity and access in Microsoft Entra ID.

The hidden clue One sign-in log was enough to start pulling the thread. Quiet telemetry often tells the real story long before a formal alert does.

The KQL that changed everything

The evidence was already inside the logs. It just needed the right question.

SigninLogs
| where ResultType == 0
| extend
                            Country = tostring(LocationDetails.countryOrRegion),
                            City = tostring(LocationDetails.city),
                            AuthRequirement = tostring(AuthenticationRequirement),
                            MFA = tostring(MfaDetail.authMethod),
                            SessionId = tostring(CorrelationId)
| summarize
                            SignInCount = count(),
                            Countries = make_set(Country),
                            Cities = make_set(City),
                            IPAddresses = make_set(IPAddress),
                            AuthRequirements = make_set(AuthRequirement),
                            MFAMethods = make_set(MFA),
                            SessionIds = make_set(SessionId)
                            by UserPrincipalName, bin(TimeGenerated, 1d)
| where array_length(Countries) > 1

What it revealed Same user. Same day. Multiple locations. Australia to Europe to Asia. Impossible travel with no incident created.

No alert fired Risk-based detection did not trigger because everything looked valid. That is exactly why quiet compromise can sit beneath the surface.

The pattern was there Sentinel had the evidence. The outcome changed only because someone asked a hunting question instead of waiting for a severity label.

Agent Foskett moment

Once we pulled the thread, the story became obvious.

Defender Same device was showing PowerShell activity. Endpoint behaviour added context that the original sign-in log did not show on its own.

Entra ID Token reuse patterns started to emerge. The identity layer exposed behaviour that should not have been happening under a normal session.

This is exactly where weak enforcement in identity and access controls allows attackers to operate quietly.

Back in Sentinel More sign-ins appeared with slightly different IPs but the same session fingerprint and token trail. That was the giveaway.

What it was not No brute force. No password spray. No loud, obvious attack sequence that would have made the case easy.

What it actually was Session hijacking. A stolen token. Quiet movement under the radar using valid-looking access that blended into normal telemetry.

Why it matters If you are relying only on alerts, this kind of activity can sit in plain sight while looking completely valid to automated logic.

What most environments miss

Sentinel did not fail. The investigation question was missing.

The data was there The evidence was complete. The signals were connected. The telemetry already contained the answer before any incident was formally raised.

The real power Defender gives endpoint behaviour. Entra ID gives identity truth. Sentinel gives correlation and visibility. Hunting joins them together.

The missing skill Most environments do not need more tools. They need better questions, better interpretation and someone who knows how to hunt for the pattern behind the alert.

Related investigations

DMARC Fail Emails Find emails where authentication failed but delivery still occurred. Read more →

Spoofed Sender Domains Detect mismatched sender domains and potential spoofing attempts. Read more →

KQL Threat Hunting Guide Full investigation playbook across Defender, identity and endpoint. Read more →

After-Hours File Access When nothing looks wrong, timing often tells the real story. Detect late-night SharePoint downloads and unusual data access patterns. Read more →

The VPN Login Continued After The Exit Meeting A terminated employee continued attempting VPN, email and remote access logins after leaving the organisation, exposing the risks of incomplete offboarding and lingering identity access. Read more →

Final thought

If you are relying on alerts alone, you are already late.

At GEMXIT We do not just wait for alerts. We hunt. We interpret the telemetry, connect the evidence and act before quiet compromise turns into something bigger. If you want to understand how this applies to your environment, see our Cyber Security services.

Agent Foskett mindset Do not just ask what fired. Ask what fits, what changed, what repeated, and what should not be there in the first place.

If your logs are already telling the story, the next step is making sure your Azure environment is actually tuned to surface it. 👉 Strengthen Azure security visibility and detection

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD