Data Source: Microsoft Entra ID Protection Logs | Detection.FYI

Microsoft Entra ID Protection Alert and Device Registration

Sep 18, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Protection Logs Data Source: Microsoft Entra ID Audit Logs Use Case: Identity and Access Audit Resources: Investigation Guide Tactic: Persistence ·
Share on:

Identifies sequence of events where a Microsoft Entra ID protection alert is followed by an attempt to register a new device by the same user principal. This behavior may indicate an adversary using a compromised account to register a device, potentially leading to unauthorized access to resources or persistence in the environment.

Read More
Multiple Microsoft Entra ID Protection Alerts by User Principal

Sep 9, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Protection Logs Use Case: Identity and Access Audit Resources: Investigation Guide Tactic: Initial Access ·
Share on:

Identifies more than two Microsoft Entra ID Protection alerts associated to the user principal in a short time period. Microsoft Entra ID Protection alerts are triggered by suspicious sign-in activity, such as anomalous IP addresses, risky sign-ins, or other risk detections. Multiple alerts in a short time frame may indicate an ongoing attack or compromised account.

Read More