Managed Sentinel – Alert 205

Alert IDMS-A205
Alert NameAccounts generating excessive Azure SignIn logs failures
DescriptionThis alert indicates accounts recorded with 100 or more failures events in Azure AD SignInLogs.
Severity LevelHigh
Threat IndicatorUnauthorized access
MITRE ATT&CK TacticsInitial Access
Log sourcesAzure AD
False PositivesApplications using expired accounts
Recommendations1. Identify the account owner and inquire about the failed logins
2. Lookup the source (location) of the login attempts
3. Identify applications used by the affected account
4. Lookup historical data for the affected account activity.