Managed Sentinel – Alert 156

Alert IDMS-A156
Alert NameMicrosoft Azure Identity Protection - Suspicious activities with successful logins
DescriptionThis alert notifies on Azure Identity Protection Unfamiliar sign-in properties and Anonymous IP address alerts sent to Azure Sentinel. The results are correlated with the Azure AD SignInLogs to remove the user ids that only have failed logins.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsCredential Access
Log sourcesAzure Identity Protection
False PositivesPlease review every alert for potential false positive. Some detection types requires an extensive time for tunning before reducing the volume of false positives
RecommendationsIdentity Protection detects sign-ins from unfamiliar locations also for basic authentication / legacy protocols. Because these protocols do not have modern familiar features such as client id, there is not enough telemetry to reduce false positives. To reduce the number of detected risk detections, you should move to modern authentication such as MFA.