Managed Sentinel – Alert 156
| Alert ID | MS-A156 |
| Alert Name | Microsoft Azure Identity Protection - Suspicious activities with successful logins |
| Description | This alert notifies on Azure Identity Protection Unfamiliar sign-in properties and Anonymous IP address alerts sent to Azure Sentinel. The results are correlated with the Azure AD SignInLogs to remove the user ids that only have failed logins. |
| Severity Level | Medium |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Credential Access |
| Log sources | Azure Identity Protection |
| False Positives | Please review every alert for potential false positive. Some detection types requires an extensive time for tunning before reducing the volume of false positives |
| Recommendations | Identity Protection detects sign-ins from unfamiliar locations also for basic authentication / legacy protocols. Because these protocols do not have modern familiar features such as client id, there is not enough telemetry to reduce false positives. To reduce the number of detected risk detections, you should move to modern authentication such as MFA. |