Azure threat detection is a feature that monitors detects anomalous activities such as unusual successful logins and warns if an unknown or new client IP address is used. Login warning will generate an email and appear on the DW instance Portal. The unfamiliar login feature uses a two month sliding window looking for unknown IPs. When a new IP is found, the warning email and portal threat is generated. The minimal learning period on a new instance, before the first alert is 14 days.
For alerts e.g. Log on by an unfamiliar principal, Log on from an unusual Azure Data Center, Log on from an unusual location, Potential SQL Brute Force attempt
Following are some mitigation steps to investigate the access and block it, if it is unauthorized.
You can take immediate action by changing the account password or blocking the IP via the DW server's firewall rules. However, this may not be the ideal step if IP address is from azure services or recently configured IP, this may block the service. Azure IP addresses keep frequently changes for security reason. You can get information from following URL.