Managed Sentinel – Alert 006

Alert IDMS-A006
Alert NameAzure AD sign-in bursts from multiple locations
DescriptionThis query over Azure Active Directory sign-in activity highlights accounts associated with multiple authentications from different geographical locations in a short time interval.
Source: Github - Microsoft
Severity LevelInformational
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsInitial Access
Log sourcesAzure Sign-in Logs
False PositivesVPN access in some special situations
RecommendationsChange Azure AD user account password.