Managed Sentinel – Alert 003

Alert IDMS-A003
Alert NameAnomalous sign-in location by user account and authenticated applications
DescriptionThis query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application
Source: Github - Microsoft
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsInitial Access
Log sourcesAzure Signin Logs
RecommendationsThe alert will return a LocationString, Identity and AppDisplayName outlier within a predefined timeframe. Review and validate if user account is allowed to access this application within the reported parameters.

If any abnormal behavior is identified, immediately disable the respective user account in Azure AD.