Cloud Account Investigation Workbook: A Playbook for SOC Analysts

Introduction

Account compromise is one of the most common attack vectors today. Whether it’s Business Email Compromise (BEC), Adversary-in-the-Middle (AiTM) phishing, or token theft, SOC analysts need a fast, structured, and repeatable approach to investigate suspicious accounts.

The Cloud Account Investigation Workbook for Microsoft Sentinel delivers exactly that—a visual playbook for analysts. It consolidates identity, sign-in, audit, and Graph API data into one pane of glass, reducing investigation time and improving consistency.

This workbook was featured at KustoCon (demo starts at 19:35). Today, we’ll explore why this workbook matters, how it works, and why it’s more efficient than traditional investigation methods.

Why This Workbook Matters

Traditional investigations often involve:

• Jumping between Entra ID, Microsoft 365, and Defender portals.
• Running manual PowerShell scripts or ad-hoc KQL queries.
• Inconsistent workflows across analysts.

This workbook changes the game:

• Standardized approach: Analysts follow the same steps every time.
• Visual dashboards: No need to memorize queries.
• Efficiency: Investigations take minutes, not hours.
• Flexibility: Works with Sentinel or standalone with Entra ID P1.

Licensing Requirements

Before deploying, ensure you have the right licenses:

• Entra ID P1: Required for IdentityInfo and AAD risk events.
• Microsoft 365 E5: Needed for Audit Logs (OfficeActivity).
• Defender for Endpoint: Optional for device context.
• Microsoft Sentinel: Optional for hosting the workbook (can also use Azure Monitor Workbooks).

Deep Dive into Workbook Sections

1. User Summary

Displays account details, roles, and risk level.

let Parameter = "{UserPrincipalName}";
IdentityInfo
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where AccountUPN =~ Parameter
| extend PriviligedAccount = iff(AssignedRoles has "Administrator", "warning", "none")
| project PriviligedAccount, AccountUPN, AccountDomain, Department, JobTitle, Manager, RiskLevel, RiskState, GroupMembership, AssignedRoles

2. Alerts & Risk Events

Pie charts for alert severity and user risk events.

let Parameter = "{UserPrincipalName}";
SecurityAlert
| where Entities has Parameter
| summarize Total = count() by AlertSeverity

3. Sign-In Details

Filter by country, IP, risk level, and result type.

let Parameter = "{UserPrincipalName}";
SigninLogs
| where UserPrincipalName =~ Parameter
| project TimeGenerated, AppDisplayName, IPAddress, RiskLevelDuringSignIn, ResultType

4. Audit Activities

Track persistence-related operations (e.g., adding service principals).

AuditLogs
| where InitiatedBy has "{UserPrincipalName}"
| where OperationName has_any (dynamic(['add member','add device','register device']))
| project TimeGenerated, OperationName, Category, ResultDescription

5. Graph API Calls

Investigate suspicious API calls tied to a session.

let SessionIdInput = "{SessionId}";
MicrosoftGraphActivityLogs
| where SessionId =~ SessionIdInput
| extend ParsedUri = tostring(parse_url(RequestUri).Path)
| extend GraphAPIResource = tostring(split(ParsedUri, "/")[2])
| project TimeGenerated, GraphAPIResource, RequestUri, ResponseStatusCode

Investigation Workflow Diagram

Comparison: Traditional vs Workbook Approach

The workbook acts as a playbook for analysts. They don’t need deep KQL knowledge—the queries are embedded. This ensures consistency, speed, and accuracy across the SOC.

Practical Use Cases

• BEC Investigation: Detect mailbox rule changes and suspicious sign-ins.
• AiTM Response: Identify anomalous sign-ins and Graph API calls.
• Privilege Escalation: Audit persistence events like adding service principals.
• Token Abuse: Investigate Graph API calls tied to compromised sessions.

Deployment Steps

1. Download the workbook JSON from GitHub.
2. Import into Microsoft Sentinel Workbooks or Azure Monitor Workbooks.
3. Configure parameters (Workspace, Subscription, Timeframe, UserPrincipalName).
4. Start investigating!

Related Blogs

Conclusion

The Cloud Account Investigation Workbook is more than a dashboard—it’s a SOC playbook. It standardizes investigations, accelerates triage, and provides deep visibility into identity-related threats. Whether you use Sentinel or just Entra ID P1, this workbook is a must-have for modern incident response.

Questions? Reach out or explore more examples on KQLQuery.com.

Promts:

I will post an 3 example blogs. You do not need to take action yet.

Write a blog about the attached Sentinel Workbook (content.json). Write it in the same style as the previous uploaded blogs. Deliver the .md file for the blog including the SEO optimized hugo template. Add placeholders for images.

I have already discussed this Workbook at Kustocon: https://www.youtube.com/watch?v=VCdIrZXothw&list=PL9sQKc0RBCiCyBYMFRWGHhEMzwPS40bHs 19:35 - Demo: Cloud Investigation Workbook for user triage.

This workbook is great for account triage, incident response, BEC, account compromise, AiTM response etc.

Workbook Source: https://github.com/Bert-JanP/Sentinel-Automation/tree/main/Workbooks/Cloud%20Account%20Investigation

I want you to take more time to deliver it. Really think about the blog for a couple of minutes before you start drafting anything. The blog should be engaging, technical and should attract both Microsoft security folks as well as people that do not necessarily already use MS products. You can also deploy this without Sentinel, but you need Entra ID P1 licence, add for the other functions also the licences there. Refer to other blogs on KQLquery.com if needed.

Sure also do a comprarison, and explain that thsi method is more efficient and engading, its basically a playbook for the analyst. The analyst does not need to know all the queries, its also a standardized approach to incident investigation etc Add a peace on how CA can prevent a lot of cloud compromised by implementing Device Compliance/Managed Device policies