Managed Sentinel – Alert 137

Alert IDMS-A137
Alert NameAzure AD sign-in attempts from disabled accounts
DescriptionThis alert identifies attempts from Azure AD users to login using disabled accounts.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsPersistence
Defense Evasion
Credential Access
Log sourcesAzure Sign-in Logs
False PositivesSaaS applications remote connections
Recommendations1. Investigate the account history in Azure AD
2. Investigate the source IP (remote connection) and validate against malicious IP addresses (threat Intelligence list)
3. Consider blocking the source IP address of the remote connection
4. Perform an investigation in Azure Sentinel to understand if same entities are involved in other malicious requests across your Azure environment (entities: IP address, account)