SIEM × Platform · Sentinel · Entra ID Sign-in

Sentinel detections for Entra ID Sign-in

Last reviewed:

Sigma rule outputs from CloudSigma rendered into Sentinel queries against the Entra ID Sign-in schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
4
Production rules
3
ATT&CK techniques
2
ATT&CK tactics
Sentinel
Output dialect
02 Rule index
Technique Rule Severity Log source
T1078 Valid Accounts on Entra ID Sign-in medium Entra ID Sign-in
T1078 Valid Accounts on Entra ID Sign-in medium Entra ID Sign-in
T1078.004 Valid Accounts: Cloud Accounts on Entra ID Sign-in medium Entra ID Sign-in
T1528 Steal Application Access Token on Entra ID Sign-in medium Entra ID Sign-in
03 Example rule

We are not embedding an example rule on this page yet. The rule corpus for this source is still being reviewed against a13e's public embed bar. CloudSigma can generate Sigma rules from CVE advisories, vulnerability disclosures and security research; generate a Sentinel-targeted rule there, review it against your local telemetry, then deploy it in your SIEM.

← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Sentinel documentation, https://docs.sentinel.com/
Last verified: 2026-06-06