Anomalous sign-in location by user Account and authenticating application - with sign-in details
This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for a compromised user account, via a specific application
Source: Github - Microsoft
MITRE ATT&CK Tactics
Azure AD SignIn Logs
The alert will return a LocationString, Identity and AppDisplayName outlier within a predefined timeframe. Review and validate if user account is allowed to access this application within the reported parameters.