Managed Sentinel – Alert 137
| Alert ID | MS-A137 |
| Alert Name | Azure AD sign-in attempts from disabled accounts |
| Description | This alert identifies attempts from Azure AD users to login using disabled accounts. |
| Severity Level | Medium |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Persistence Defense Evasion Credential Access |
| Log sources | Azure Sign-in Logs |
| False Positives | SaaS applications remote connections |
| Recommendations | 1. Investigate the account history in Azure AD 2. Investigate the source IP (remote connection) and validate against malicious IP addresses (threat Intelligence list) 3. Consider blocking the source IP address of the remote connection 4. Perform an investigation in Azure Sentinel to understand if same entities are involved in other malicious requests across your Azure environment (entities: IP address, account) |