Sign-ins from IPs that attempt sign-ins to disabled accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-2375474%22%20slang%3D%22en-US%22%3ESign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2375474%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20had%20a%20few%20alerts%20called%20%22%3CSPAN%3ESign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20accounts%22%2C%20the%20Description%20says%20%22%3CEM%3EIdentifies%20IPs%20with%20failed%20attempts%20to%20sign%20in%20to%20one%20or%20more%20disabled%20accounts%20signed%20in%20successfully%20to%20another%20account.%3C%2FEM%3E%22%20I%20can%20see%20the%20failed%20attempts%2C%20but%20I%20cannot%20see%20the%20'other'%20account%20that%20was%20successfully%20signed%20in%2C%20or%20the%20successful%20sign%20in%20event.%20Any%20ideas%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2375558%22%20slang%3D%22en-US%22%3ERe%3A%20Sign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2375558%22%20slang%3D%22en-US%22%3EYou%20could%20search%20the%20logs%20to%20see%20what%20other%20accounts%20have%20signed%20in%20from%20that%20IP%3A%3CBR%20%2F%3E%3CBR%20%2F%3Eunion%20SigninLogs%3CBR%20%2F%3E%7C%20where%20IPAddress%20contains%20%22IPHERE%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2375564%22%20slang%3D%22en-US%22%3ERe%3A%20Sign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2375564%22%20slang%3D%22en-US%22%3EThanks%20Nabilsayeed%2C%20that's%20the%20puzzle%2C%20the%20only%20login%20attempts%20from%20that%20IP%20for%20that%20time%20period%20are%20from%20the%20disabled%20account%2C%20I%20can't%20find%20a%20successful%20logins%20from%20that%20IP%20address.%3C%2FLINGO-BODY%3E
New Contributor

I've had a few alerts called "Sign-ins from IPs that attempt sign-ins to disabled accounts", the Description says "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account." I can see the failed attempts, but I cannot see the 'other' account that was successfully signed in, or the successful sign in event. Any ideas?

2 Replies
You could search the logs to see what other accounts have signed in from that IP:

union SigninLogs
| where IPAddress contains "IPHERE"
Thanks Nabilsayeed, that's the puzzle, the only login attempts from that IP for that time period are from the disabled account, I can't find a successful logins from that IP address.