Managed Sentinel – Alert 205
| Alert ID | MS-A205 |
| Alert Name | Accounts generating excessive Azure SignIn logs failures |
| Description | This alert indicates accounts recorded with 100 or more failures events in Azure AD SignInLogs. |
| Severity Level | High |
| Threat Indicator | Unauthorized access |
| MITRE ATT&CK Tactics | Initial Access |
| Log sources | Azure AD |
| False Positives | Applications using expired accounts |
| Recommendations | 1. Identify the account owner and inquire about the failed logins 2. Lookup the source (location) of the login attempts 3. Identify applications used by the affected account 4. Lookup historical data for the affected account activity. |