DFIR Tools · Research · Blog

Traditional digital forensics and incident response has historically focused heavily on endpoints, malware, memory artifacts, and email evidence. Those areas still matter. They are not going away.

But modern investigations increasingly revolve around something else entirely: identity.

In many Microsoft 365 and cloud-centric investigations, one of the most valuable sources of evidence available to investigators is interactive sign-in telemetry.

Unfortunately, it is also one of the most misunderstood.

What Interactive Sign-In Logs Actually Represent

Interactive sign-in logs generally represent authentication attempts involving direct user interaction. These events are commonly associated with activities such as:

• Browser-based authentication
• User credential submission
• MFA prompts and approvals
• Interactive application access
• Token issuance following successful authentication
• Human-driven access attempts into cloud resources

In simple terms, these logs often represent moments where a person, legitimate or malicious, actively attempted to access an environment.

This differs significantly from non-interactive sign-ins, which are commonly tied to background token refreshes, service-to-service authentication, silent authentication flows, and automated application activity.

Understanding this distinction is critical during investigations because interactive sign-ins frequently provide the clearest visibility into attacker behavior and access patterns.

Why Interactive Sign-In Logs Matter

Modern threat actors increasingly operate without deploying traditional malware. Instead, they abuse legitimate authentication mechanisms using stolen credentials, session cookies, refresh tokens, OAuth abuse, MFA fatigue, password spraying, and adversary-in-the-middle phishing frameworks.

In many cases, there may never be malware recovered from the endpoint at all.

The attacker simply logs in.

This is precisely why interactive sign-in telemetry has become so important. These logs can reveal:

• Initial access attempts
• Suspicious geographic activity
• Use of anonymization infrastructure
• Authentication failures followed by success
• MFA challenges and bypass attempts
• Access from hosting providers or VPN services
• New or unusual client applications
• Sign-in behavior inconsistent with established user patterns

Interactive sign-ins often represent the closest thing investigators have to observing attacker decision-making in real time.

The Importance of Context

One of the biggest mistakes investigators make is treating authentication logs as isolated events rather than behavioral evidence.

A single successful login rarely tells the full story.

The true investigative value comes from correlation and reconstruction. Investigators should be asking questions such as:

• What occurred before the successful login?
• Were there repeated authentication failures?
• Was the source infrastructure previously unseen for the user?
• Did the sign-in originate from a hosting provider, VPN, proxy, or unusual ASN?
• Was MFA satisfied legitimately?
• Did additional suspicious activity follow shortly afterward?

When viewed chronologically and correlated properly, interactive sign-in logs can help investigators reconstruct entire attack chains.

Key Data Points Investigators Should Review

Several fields within interactive sign-in telemetry can provide valuable investigative context, including:

• Source IP address
• ASN and ISP information
• Geographic location
• Client application
• Device details
• User agent strings
• Authentication requirement details
• MFA result status
• Conditional Access outcomes
• Risk indicators
• Session correlation identifiers
• Result codes and failure reasons

Individually, these artifacts may appear insignificant. Together, they often provide critical insight into adversary behavior.

Common Investigative Mistakes

Interactive sign-in telemetry is powerful, but only when analyzed correctly. Some of the most common issues observed during investigations include:

• Assuming successful logins are legitimate
• Ignoring low-volume password spraying activity
• Failing to identify hosting provider infrastructure
• Overlooking legacy authentication usage
• Reviewing logs in isolation without timeline correlation
• Relying solely on mailbox artifacts during BEC investigations
• Treating authentication telemetry as “just logs”

Authentication telemetry is behavioral evidence.

Properly analyzed, it can provide insight not only into access, but into attacker methodology, infrastructure, operational patterns, and progression through an environment.

The Shift Toward Identity-Centric DFIR

As organizations continue moving toward cloud-first architectures, identity has become one of the primary attack surfaces in modern environments.

This shift fundamentally changes how investigations must be conducted.

Traditional endpoint forensics still matters. Email analysis still matters. Memory analysis still matters.

But increasingly, the investigation starts with identity telemetry.

Interactive sign-in logs provide investigators with visibility into how access was attempted, established, and maintained within cloud environments. In many modern incidents, they represent one of the most important forensic artifacts available.

Understanding how to interpret that telemetry, and how to reconstruct attacker behavior from it, is rapidly becoming a core DFIR skillset.