SOC investigation playbook for Microsoft Sentinel Impossible-Travel detections. Drives a single agent through context enrichment, evaluation of 10 risk factors (location, authentication, token, brute force, MFA abuse, post-login activity, OAuth abuse, mailbox manipulation, high-privilege user, disabled-account sign-in), risk scoring, and a PACO final verdict with action plan. Use this skill whenever the user mentions impossible travel, account compromise, suspicious sign-in, Sentinel detection, SOC investigation, Entra ID risky sign-in, a NormalizedDetection payload, an account takeover scenario, or asks "is this user compromised?" — even if they don't explicitly say "skill".
2026-05-25