Investigating identity incidents faster: less tool-hopping, faster decisions
Identity incidents are among the most frequent and time-critical security events SOC teams face. Whether it's a suspicious sign-in, a flagged user account, or a Microsoft Defender incident with identity context — the core question is almost always the same:
Was this authentication legitimate, suspicious, or compromised?
The answer should come quickly. In practice, it rarely does. Analysts pivot between Microsoft Defender, Entra ID Sign-in Logs, Entra Audit Logs, Conditional Access policies, Risky Users, Threat Intelligence, mailbox telemetry, and URL click events — context-switching instead of analyzing, losing critical time before any decision can be made.
The problem: decisions come too late
Before a verdict is even possible, analysts must manually verify a wide range of details for every identity incident:
- Which users and IP addresses are involved?
- Were there anomalous sign-ins?
- Was MFA successfully completed?
- What Conditional Access decision was applied?
- Are there indicators of VPN, proxy, or hosting provider usage?
- Is there correlated email or URL activity?
- Is the IP address flagged in Threat Intelligence?
This work is necessary – but it routinely takes up to 40 minutes of manual pivoting per incident. Even at modest incident volumes, the operational load compounds quickly.
What Sign-In Investigator changes
Sign-In Investigator addresses this directly. Rather than pivoting manually across Microsoft security data sources, our Microsoft Security Copilot Agent delivers a structured, evidence-based investigation report covering:
- An incident summary
- Relevant sign-in activity for the affected user
- Anomaly signals: new locations, MFA status, Conditional Access outcomes, legacy authentication, and suspicious network metadata
- Identity context, IP reputation, email and URL telemetry where available
- Risk classification and recommended next steps
The result is not a black-box verdict. It's a transparent, auditable decision brief.
From up to 40 minutes down to ~4 minutes
Sign-In Investigator reduces average investigation time from 20 to 40 minutes down to approximately 4 minutes per incident. To put that in perspective, here's what it looks like for an example 20-analyst SOC handling 320 identity incidents per day:
| Manual tier-1 triage per incident | ~20 to 40 min |
| Triage with Sign-In Investigator | ~4 min |
| Time saved per incident | ~16 to 36 min |
| Daily savings across 320 incidents | ~85 to 192 analyst hours |
| Annual capacity unlocked | ~31,000 to 70,000 analyst hours |
The benefit: that's capacity analysts can redirect toward threat hunting, alert tuning, complex investigations, and incident response, where human expertise matters most.
How the agent works
Sign-In Investigator accepts either a Microsoft Defender Incident ID or a User Principal Name. From there, the investigation runs in four steps:
1. Resolve incident context
Extract affected users, involved IP addresses, and relevant URLs.
2. Reconstruct sign-in activity
Analyze Entra ID Sign-in Logs for anomalous patterns: new locations, MFA status, Conditional Access decisions, device posture, and legacy authentication.
3. Enrich with context
Append identity context, audit events, IP reputation, and email and URL telemetry.
4. Generate report and recommendations
Classify findings by risk level and consolidate them into a structured Markdown report with clear, actionable next steps.
Good to know: the agent makes no calls to third-party APIs, and no data leaves the Microsoft tenant.
Human in the loop: the agent recommends, the analyst decides
Sign-In Investigator may surface recommendations such as password reset, session revocation, account lock, MFA review, or further investigation, but it never executes containment actions autonomously. Every decision remains with the analyst, governed by existing approval workflows, runbooks, or SOAR processes.
Within a managed SOC, the agent sits precisely between alert and response, accelerating investigation, standardizing assessment, and handing off a clear decision brief to the analyst in control.
Built for Microsoft-native security operations
Sign-In Investigator is designed for SOC and identity teams across common scenarios including:
- Tier-1 triage of Entra ID sign-in alerts
- Review of flagged or high-risk user accounts
- IP and URL enrichment with Threat Intelligence
- Preparation of auditable incident reviews
Read-only usage requires at minimum the Security Reader role. The Security Operator role or higher is required if containment actions such as password reset, session revocation, or account lock are to be executed based on the agent's recommendations.
Sign-In Investigator also requires the following Microsoft products:
- Microsoft Entra ID P2
- Microsoft Defender for Office 365 Plan 2
- Microsoft Defender Threat Intelligence
Sign-In Investigator is now available in the Microsoft Security Store!
