Data Source: Microsoft Entra ID Protection Logs | Detection.FYI

Multiple Microsoft Entra ID Protection Alerts by User Principal

May 2, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Protection Logs Use Case: Identity and Access Audit Resources: Investigation Guide Tactic: Initial Access ·
Share on:

Identifies more than two Microsoft Entra ID Protection alerts associated to the user principal in a short time period. Microsoft Entra ID Protection alerts are triggered by suspicious sign-in activity, such as anomalous IP addresses, risky sign-ins, or other risk detections. Multiple alerts in a short time frame may indicate an ongoing attack or compromised account.

Read More