Anomalous sign-in location by user account and authenticated applications
This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application
Source: Github - Microsoft
MITRE ATT&CK Tactics
Azure Signin Logs
The alert will return a LocationString, Identity and AppDisplayName outlier within a predefined timeframe. Review and validate if user account is allowed to access this application within the reported parameters.
If any abnormal behavior is identified, immediately disable the respective user account in Azure AD.