Managed Sentinel – Alert 004

Alert IDMS-A004
Alert NameAnomalous sign-in location by user Account and authenticating application - with sign-in details
DescriptionThis query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for a compromised user account, via a specific application
vector.
Source: Github - Microsoft
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsInitial Access
Log sourcesAzure AD SignIn Logs
RecommendationsThe alert will return a LocationString, Identity and AppDisplayName outlier within a predefined timeframe. Review and validate if user account is allowed to access this application within the reported parameters.