Start with identity attack paths

Attackers rarely break in with one loud event. They string together small identity changes — a multifactor authentication reset, a first sign-in from a new device, a privilege jump — that only look dangerous when seen in sequence. (techcommunity.microsoft.com) Microsoft’s own guidance now frames identity as an attack path problem, not just an alert problem. In a February 9, 2026 post, the company said identity-based attacks rose more than 32% in the first half of 2025 and said 97% were password-focused. (techcommunity.microsoft.com) An attack path is the route an intruder can take after one account is exposed. Microsoft defines it as a chain of misconfigurations, permissions, and trust relationships that lets an attacker move from an initial foothold to higher-value systems. (learn.microsoft.com) That changes what defenders watch for. A single failed login can be harmless noise, but a dormant account coming back to life and then gaining access to sensitive groups is the kind of linked behavior Microsoft says teams should correlate across sign-in, audit, and endpoint records. (learn.microsoft.com) The plumbing matters here. Splunk’s Common Information Model describes normalized Authentication, Change, and Endpoint data models so different products log the same kinds of facts in the same fields, making cross-source searches and detections easier to build. (docs.splunk.com 1) (docs.splunk.com 2) (docs.splunk.com 3) Microsoft’s parallel approach is to push identity risk telemetry into investigation and access systems. Its Entra Identity Protection guidance says risk data can be analyzed in Azure Monitor Logs and streamed into Microsoft Defender Extended Detection and Response and Microsoft Sentinel for correlation. (learn.microsoft.com) Risk-based controls then decide what happens next. Microsoft Entra Conditional Access can act on sign-in risk or user risk and require multifactor authentication, force a secure password change, block access, or use the newer “require risk remediation” control. (learn.microsoft.com) The raw signals are already broad. Microsoft Entra ID Protection lists detections such as password spray, unfamiliar sign-in properties, suspicious browser use, malicious Internet Protocol addresses, and verified threat actor Internet Protocol addresses, with some detections available in real time and others offline. (learn.microsoft.com) Security platforms are also built to merge those low-signal events into a larger case. Microsoft Defender says incidents are containers for related alerts from multiple products so analysts can investigate an attack story instead of isolated detections. (learn.microsoft.com 1) (learn.microsoft.com 2) The practical shift is simple: start with the identity path, not the noisiest alert. If the first clue is a changed authentication method, the next question is which account, which device, which privilege, and what that sequence opened up. (techcommunity.microsoft.com)