Managed Sentinel – Alert 002
| Alert ID | MS-A002 |
| Alert Name | Anomalous Azure Active Directory apps based on authentication location |
| Description | This query over Azure AD sign-in activity highlights Azure AD apps with an unusually high ratio of distinct geolocations versus total number of authentications. Source: Github - Microsoft |
| Severity Level | Low |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Initial Access |
| Log sources | Azure Signin Logs |
| Recommendations | Review the LocationString, Identity and AppDisplayName fields and validate if these are within the normal parameters in your organization. Look for users accessing different applications within a short timeframe from various locations. If any abnormal behavior is identified, immediately disable the affected user accounts in Azure AD. |