A possible risky login to Azure

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-18

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Initial Access (TA0001) Resource Development (TA0042)
ATT&CK Technique	Compromise Accounts (T1586) Valid Accounts (T1078)
Severity	Informational

A risky sign-in attempt was observed in Azure.

An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.

Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities.
Reach out to the user to confirm the legitimacy of the recent password reset activity.
Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

A risky sign-in attempt was observed in Azure.

An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.

Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities.
Reach out to the user to confirm the legitimacy of the recent password reset activity.
Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.