Microsoft Just Pulled the Rug Out From Under Your Detection Rules: The Entra ID Table Migration Crisis

Listen to this Post

Featured Image

Introduction:

Microsoft has officially promoted its critical Entra ID sign-in log tables from beta to general availability, triggering a mandatory but disruptive transition for security teams worldwide. The renaming of `AADSignInEventsBeta` and `AADSpnSignInEventsBeta` to `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` respectively represents a foundational shift in Microsoft’s identity telemetry strategy within Defender. This move, while signaling platform maturity, forces a sweeping update to all custom detection rules, hunting queries, and automation workflows, creating a significant operational overhead for SecOps professionals to avoid critical visibility gaps.

Learning Objectives:

  • Understand the scope of the table schema changes and their impact on existing KQL queries.
  • Learn how to systematically migrate and validate your custom detection rules and hunting queries.
  • Master advanced hunting techniques using the new tables to enhance your identity threat detection.

You Should Know:

1. The Core Schema Change and Immediate Impact

The primary change is a direct table rename within the Advanced Hunting schema. Queries targeting the old beta tables will now fail, breaking detection rules and dashboards. While the core data structure remains similar, this is a hard cutover.

// OLD QUERY (NOW BROKEN)
AADSignInEventsBeta
| where Timestamp > ago(1d)
| where ErrorCode == 50126

// NEW QUERY (UPDATED)
EntraIdSignInEvents
| where Timestamp > ago(1d)
| where ErrorCode == 50126

Step-by-step guide:

Immediately audit your Microsoft 365 Defender environment for all custom detection rules and saved queries. Use the “Detection rules” workspace to filter and identify any rules containing “AADSignInEventsBeta” or “AADSpnSignInEventsBeta”. For each identified rule, navigate to its query editor, perform a find-and-replace operation with the new table names, and save the updated rule. Failure to do this will result in those detections ceasing to generate alerts.

2. Validating Data Continuity and Log Ingestion

After updating your queries, you must verify that data is flowing correctly into the new tables and that your historical context is maintained. This ensures your detection coverage is restored.

// Check data volume in new tables over the last 24 hours
EntraIdSignInEvents
| where Timestamp > ago(24h)
| summarize EventCount = count() by bin(Timestamp, 1h)
| render timechart

// Cross-reference a specific session ID to verify data parity
let sampleSessionId = EntraIdSignInEvents | sample 1 | project SessionId;
AADSignInEventsBeta
| where SessionId == sampleSessionId
| join kind=inner EntraIdSignInEvents on SessionId
| project OldTable_Time=AADSignInEventsBeta_Timestamp, NewTable_Time=EntraIdSignInEvents_Timestamp, SessionId, AccountUpn

Step-by-step guide:

Run the first query to confirm a steady stream of events in the new `EntraIdSignInEvents` table. A flatline indicates a potential ingestion issue. Use the second, more advanced query to pick a specific session from the old beta table and find its counterpart in the new table, confirming that individual event records are being preserved across the migration.

3. Leveraging PowerShell for Bulk Detection Rule Updates

Manually updating dozens or hundreds of detection rules is inefficient. Use the Microsoft Graph PowerShell SDK to automate the finding and updating process.

 Connect to Microsoft Graph with required scopes
Connect-MgGraph -Scopes "SecurityEvents.ReadWrite.All"

Search for detection rules still using the old beta table name
$Rules = Get-MgSecurityDetectionRule -Filter "contains(Query,'AADSignInEventsBeta')"

Display the risky rules
$Rules | Format-Table DisplayName, Id, Enabled

Example of updating a single rule (execute with caution)
Update-MgSecurityDetectionRule -DetectionRuleId "YOUR_RULE_ID_HERE" -Query "REPLACED_KQL_QUERY_HERE"

Step-by-step guide:

First, install the `Microsoft.Graph` module using Install-Module Microsoft.Graph. Authenticate using Connect-MgGraph. The script above first lists all detection rules that contain the deprecated table name. Review this list carefully. To update a rule, use the `Update-MgSecurityDetectionRule` cmdlet, replacing the rule’s ID and its entire query string with the corrected version. Always test one non-critical rule first.

  1. Advanced Hunting for Service Principal Anomalies with the New Tables

The `EntraIdSpnSignInEvents` table is critical for detecting threats against non-human identities. Use the new table to hunt for suspicious service principal sign-ins, which are a prime target for attackers.

// Hunt for Service Principal sign-ins from unexpected locations
EntraIdSpnSignInEvents
| where Timestamp > ago(7d)
| extend Country = tostring(LocationDetails.country)
| join kind=inner (
EntraIdSpnSignInEvents
| where Timestamp between(ago(30d) .. ago(8d))
| summarize KnownCountries = make_set(tostring(LocationDetails.country)) by ServicePrincipalId
) on ServicePrincipalId
| where Country !in (KnownCountries)
| project Timestamp, ServicePrincipalName, Country, IPAddress, ResourceDisplayName, ErrorCode

Step-by-step guide:

This query establishes a baseline of “known countries” for each service principal over the last 30 days (excluding the most recent week). It then joins this baseline with recent sign-ins (last 7 days) to flag any that originate from a country not seen before for that specific service principal. Investigate any results by checking the service principal’s purpose and the resource it was accessing.

5. Hardening API Integrations and Logic Apps

As highlighted in the comments, automation workflows in tools like Logic Apps that use the Advanced Hunting API must be updated to reference the new table names to avoid runtime failures.

 Example cURL command to query the new table via the API
curl -X GET "https://api.securitycenter.microsoft.com/api/advancedhunting/export?query=EntraIdSignInEvents" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
--output entra_events.json

Step-by-step guide:

Locate all Logic Apps, Power Automate flows, or custom scripts that call the Advanced Hunting API. Open the action or code section where the KQL query is defined. Systematically replace any instance of `AADSignInEventsBeta` with `EntraIdSignInEvents` and `AADSpnSignInEventsBeta` with EntraIdSpnSignInEvents. Test the updated workflow with a simple query to confirm it executes successfully and returns data.

6. Building a Proactive Table Schema Monitoring Query

Prevent future disruption by creating a hunting query that alerts you to schema changes or the introduction of new tables in your environment.

// Monitor for new tables appearing in the Advanced Hunting schema
union withsource=TableName 
| where Timestamp > ago(1d)
| summarize by TableName
| sort by TableName asc

Step-by-step guide:

Schedule this query as a weekly hunting query. It uses the `union` operator to list all table names that have contained data in the last day. By running it regularly and reviewing the output, you can spot newly introduced tables (e.g., perhaps `IdentityLogonEvents` as hinted by a commenter) early, allowing you to explore them and adapt your strategies before official announcements force your hand.

7. Creating a Comprehensive Identity Monitoring Dashboard

Consolidate your visibility by building a new dashboard in Azure Workbook or your SIEM that leverages the now-GA tables for a unified view of identity threats.

// KQL for an identity overview dashboard widget: Failed Sign-Ins by Application
EntraIdSignInEvents
| where Timestamp > ago(24h)
| where ErrorCode != 0
| summarize FailedAttempts = count() by Application
| top 10 by FailedAttempts desc

Step-by-step guide:

In your dashboard tool of choice, create a new query-based widget. Use the query above to track top applications with failed sign-ins. Create additional widgets using `EntraIdSignInEvents` for data like successful logons by country, risky user sign-ins, and `EntraIdSpnSignInEvents` for service principal authentication errors. This moves you from a reactive migration posture to a proactive, consolidated monitoring stance.

What Undercode Say:

  • Backward Compatibility is a Luxury, Not a Guarantee: This event is a stark reminder that in cloud-native ecosystems, foundational schema changes can and will happen without backward-compatible grace periods. Operational resilience depends on treating detection-as-code, with formal version control and CI/CD pipelines for rule management.
  • The Identity Frontier is the New Battlefield: Microsoft’s investment in refining these tables underscores the critical importance of identity telemetry in modern XDR. The consolidation and formalization of these signals provide a richer, more reliable foundation for detecting sophisticated attacks like Golden SAML and token theft that bypass traditional network controls.

The migration, while painful, is a net positive. It forces organizations to review and often improve their often-neglected detection rule estate. The beta labels created a psychological barrier for production use; their removal legitimizes these tables as primary data sources. The real crisis isn’t the rename itself, but the exposure of fragile, manually-managed SecOps processes that cannot gracefully absorb a predictable platform evolution. This is a drill for a much larger, inevitable scenario where a zero-day forces a similar rapid, enterprise-wide detection update.

Prediction:

This table migration is a precursor to a more profound integration of identity and security signals within the Microsoft ecosystem. We predict that within 12-18 months, Microsoft will fully deprecate the legacy `SigninLogs` table in Azure Diagnostic Settings in favor of the richer `EntraIdSignInEvents` schema within Defender, completing the consolidation of identity telemetry into its XDR platform. Furthermore, the emergence of hinted-at tables like `IdentityLogonEvents` points to an upcoming deeper introspection into on-premises Active Directory authentication events, bridging the final visibility gap for hybrid identity models and creating a truly unified identity threat hunting plane. Security teams that successfully navigate this current transition will be best positioned to leverage these future capabilities.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Fabianbader Mde – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky