Managed Sentinel – Alert 002

Alert IDMS-A002
Alert NameAnomalous Azure Active Directory apps based on authentication location
DescriptionThis query over Azure AD sign-in activity highlights Azure AD apps with an unusually high ratio of distinct geolocations versus total number of authentications.

Source: Github - Microsoft
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsInitial Access
Log sourcesAzure Signin Logs
RecommendationsReview the LocationString, Identity and AppDisplayName fields and validate if these are within the normal parameters in your organization. Look for users accessing different applications within a short timeframe from various locations.

If any abnormal behavior is identified, immediately disable the affected user accounts in Azure AD.