Login Investigator Agent
durch adaQuest
Investigates user sign-ins to detect risk, anomalies, CA outcomes, and related incidents.
Login Investigator is a Security Copilot agent designed to analyze and contextualize user authentication activity across Microsoft Entra ID.
The agent provides security teams with a clear view of how identities are accessing corporate resources by analyzing sign-in activity within a defined lookback window (default 7 days). By consolidating authentication telemetry, Login Investigator helps analysts quickly understand where users are logging in from, which devices are used, and how authentication protections such as MFA and Conditional Access are applied.
Login Investigator automatically correlates identity signals including successful and failed logins, geographic access patterns, IP intelligence, and device posture. The agent also enriches authentication sources using Microsoft Defender Threat Intelligence (MDTI) when available to identify potentially malicious infrastructure involved in login activity.
The resulting investigation report highlights authentication anomalies, suspicious access patterns, and identity risk indicators, allowing SOC analysts and security administrators to rapidly determine whether a user account is behaving normally or potentially compromised.
Login Investigator is designed to reduce the manual effort required to investigate authentication events by consolidating identity telemetry, security context, and threat intelligence into a single structured investigation output.
Key capabilities
- Analysis of user sign-in activity within a configurable investigation window (default 7 days)
- Visibility into successful and failed login sources, including regions and IP addresses
- IP reputation enrichment using Microsoft Defender Threat Intelligence (MDTI) when available
- Identification of authentication anomalies and suspicious login patterns
- Device context analysis including Intune device compliance when available
- Authentication security insights including MFA usage and Conditional Access enforcement
- Structured investigation reports designed for SOC analysts and security administrators
Security Copilot Units (SCU) consumption
Login Investigator is designed with efficient and predictable SCU consumption while performing identity investigation and enrichment workflows.
- Estimated SCU consumption per execution is ~5 SCU
Login Investigator applies scoped data retrieval, correlation-first analysis, and targeted enrichment queries to optimize execution efficiency while maintaining high-value identity investigation insights across environments of different sizes.