SIEM × Platform · Sentinel · Entra ID Sign-in

Sentinel detections for Entra ID Sign-in

Sigma rule outputs from CloudSigma rendered into Sentinel queries against the Entra ID Sign-in schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
3
Production rules
2
ATT&CK techniques
1
ATT&CK tactics
Sentinel
Output dialect
02 Rule index
Technique Rule Severity Log source
T1078 Valid Accounts on Entra ID Sign-in medium Entra ID Sign-in
T1078 Valid Accounts on Entra ID Sign-in medium Entra ID Sign-in
T1078.004 Valid Accounts: Cloud Accounts on Entra ID Sign-in medium Entra ID Sign-in
03 Example rule

Entra ID Risky Sign-in to Cloud Management Application, generated by CloudSigma and validated against the Sentinel dialect.

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:35b6c842b67afc20 manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma Sentinel · Entra ID Sign-in · 2026-04-24 
title: Entra ID Risky Sign-in to Cloud Management Application
id: 6f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1c
status: experimental
description: >
    Detects successful Entra ID sign-ins to high-impact cloud
    management applications (Azure Portal, Azure CLI, Azure
    PowerShell, Microsoft Graph) where Identity Protection has
    flagged the sign-in as medium or high risk. Earlier versions
    included low-risk sign-ins, which is the default classification
    for routine activity and made the rule fire on every admin
    login. Limiting to medium/high keeps the rule actionable while
    still catching the genuine risk signals (impossible travel,
    leaked credentials, anomalous IP, unfamiliar properties).
author: CloudSigma
date: 2026-04-24
references:
    - https://attack.mitre.org/techniques/T1078/004/
    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
tags:
    - attack.initial-access
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        properties.status.errorCode: 0
        properties.appDisplayName:
            - Azure Portal
            - Microsoft Azure CLI
            - Microsoft Azure PowerShell
            - Microsoft Graph Command Line Tools
            - Microsoft Graph Explorer
    selection_risk:
        properties.riskLevelDuringSignIn:
            - medium
            - high
    condition: selection and selection_risk
falsepositives:
    - Approved admin travel triggering an impossible-travel signal during a documented trip
    - Penetration tests or red-team exercises against the tenant
    - Service principals authenticating from an Azure region newly added to the workload footprint
fields:
    - properties.userPrincipalName
    - properties.appDisplayName
    - properties.ipAddress
    - properties.location.city
    - properties.riskLevelDuringSignIn
    - properties.riskEventTypes
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Sentinel documentation, https://docs.sentinel.com/
Last verified: 2026-04-24