Cybersecurity pillar

Identity threat detection and response

Fuse identity provider logs, endpoint telemetry, and UEBA to catch credential theft, session hijacking, and privilege escalation mapped to MITRE ATT&CK Enterprise.ATT&CK Enterprise

Signal enrichment

High-fidelity detections depend on normalized, correlated identity data.

  • Normalize identities. Standardize on immutable unique identifiers (OIDC subject, Entra ID object ID) to correlate IdP, EDR, and VPN events.
  • Device trust binding. Enrich sign-ins with device compliance posture, hardware IDs, and certificate fingerprints to detect token theft and replay.
  • Geo-velocity and ASN checks. Use authoritative IP intelligence to flag impossible travel and sign-ins from unmanaged ASNs or residential proxies.
  • Exposure reduction. Alert on stale privileged credentials, OAuth app over-permission, and dormant conditional access policies.

Detection engineering checklist

Cover the highest-impact identity attack techniques first.

  • Phished session capture. Detect sign-ins with compliant device claims missing, suspicious browser fingerprints, or rapid token reuse across IPs (ATT&CK T1539, T1185).
  • MFA bypass patterns. Alert on MFA disabled events, registration changes without device binding, and challenges completed from Tor/known bad ASNs (ATT&CK T1078).
  • Privilege escalation. Monitor role/GroupPolicyObject changes, just-in-time admin approvals, and service principal credential additions (ATT&CK T1484).
  • Golden SAML and OIDC abuse. Track token signing certificate changes, audience anomalies, and assertion lifetimes that exceed policy (ATT&CK T1606).
  • Impossible routes. Combine VPN concentrator and SaaS IdP logs to surface users authenticating from two countries within impossible windows.

Response playbooks

Automate Tier 1 containment while keeping humans in the loop for privilege-affecting actions.

  • Session isolation. Invalidate tokens, revoke refresh tokens, and block legacy protocols for affected identities; force re-registration of phishing-resistant MFA.
  • Device containment. Quarantine endpoints through EDR and remove device tokens from IdP trust lists when tampering is detected.
  • Adaptive MFA. Escalate to step-up MFA or WebAuthn-only flows when anomalies trigger, and require manager approval for elevated access requests.
  • Post-incident validation. Reset signing keys if compromise suspected, rotate service principals, and verify audit pipeline integrity after response actions.