Sign-in Investigator

Sign-In Investigator is an interactive Security Copilot agent that helps SOC and identity teams reduce the time and effort required to investigate suspicious user sign-ins. Instead of manually pivoting across Entra ID, Defender XDR, audit logs, email and URL telemetry, and threat intelligence, analysts receive a structured, evidence-based report with risk classification and containment guidance.

Customer benefits

• Faster triage: combines Microsoft security signals into one workflow.
• Consistent decisions: applies a repeatable, evidence-based risk rubric.
• Transparent findings: explains why a sign-in is classified as low, medium, or high risk.
• Actionable guidance: recommends containment and follow-up actions tied to observed users, IPs, locations, authentication patterns, and related telemetry.

How Sign-In Investigator works

1. Resolving a Microsoft Defender incident and extracting affected users, IP addresses, and flagged URLs.
2. Retrieving Entra ID sign-in logs and calculating anomaly indicators including new locations, MFA status, conditional access outcomes, device posture, legacy authentication use, and sign-in error interpretation.
3. Detecting VPN, hosting provider, or proxy usage from sign-in metadata.
4. Pulling identity context including assigned roles, account status, Entra risk level, password and MFA history, and recent administrative activity.
5. Enriching suspect IP addresses with Microsoft Defender Threat Intelligence reputation data.
6. Inspecting email events and URL click telemetry related to the incident.
7. Classifying findings using an evidence-based risk rubric.
8. Compiling evidence tables and recommending containment actions referencing the identified users, IPs, and patterns.
   
   

Inputs

A Microsoft Defender Incident ID or user principal name (UPN). The default investigation window is 7 days but can be extended, for example “past 30 days.”

Outputs

A structured Markdown report covering incident summary, recommended actions, authentication analysis, VPN assessment, identity details, IP reputation, URL activity, email findings, and behavioral patterns.

Required Microsoft products

• Microsoft Entra ID P2 (sign-in log retention and risk signals)
• Microsoft Defender for Office 365 Plan 2 (email and URL click telemetry)
• Microsoft Defender Threat Intelligence (IP reputation enrichment)

Optional Microsoft products

• Microsoft Defender for Identity, or Microsoft Sentinel UEBA (expanded identity-role and manager-attribution data)

Required role-based access control (RBAC)

Security Reader is the minimum role for read-only investigation. Security Operator or higher is required for containment actions such as password reset, session revocation, or account lock.

Estimated SCU consumption

0.3 to 0.6 Security Compute Units per incident investigation. Actual consumption varies with the number of suspect IP addresses, the size of the user's recent sign-in history, and whether email or URL inspection returns results.

Use cases

• SOC tier-1 and tier-2 analysts triaging Entra ID and Defender identity incidents
• Identity administrators auditing suspicious account activity
• Threat intelligence teams enriching IOCs with Microsoft DTI data
• Executive incident review summaries
  
  

Limitations

• Impossible-travel detection relies on geo-IP approximations
• Token-reuse detection is not performed
• Legacy authentication detection depends on tenant logging and licensing
• Recommendations do not perform automated remediation
• Sign-in retention depends on Entra ID licensing
  
  

Privacy and data handling

The agent reads telemetry from the customer's own Microsoft Defender and Entra ID tenants. No customer data is sent outside the customer's Microsoft tenant boundary. The agent does not call any third-party APIs and does not require any external credentials.

About the publisher

Published by water IT Security GmbH, a German cybersecurity consultancy specializing in Microsoft security platform engineering and incident response operations. Support contact and full release notes are available via the publisher product page linked below.

# Version 1.1.0