Managed Sentinel – Alert 003
| Alert ID | MS-A003 |
| Alert Name | Anomalous sign-in location by user account and authenticated applications |
| Description | This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application vector. Source: Github - Microsoft |
| Severity Level | Low |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Initial Access |
| Log sources | Azure Signin Logs |
| Recommendations | The alert will return a LocationString, Identity and AppDisplayName outlier within a predefined timeframe. Review and validate if user account is allowed to access this application within the reported parameters. If any abnormal behavior is identified, immediately disable the respective user account in Azure AD. |