Sign-ins from IPs that attempt sign-ins to disabled accounts

New Contributor

I've had a few alerts called "Sign-ins from IPs that attempt sign-ins to disabled accounts", the Description says "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account." I can see the failed attempts, but I cannot see the 'other' account that was successfully signed in, or the successful sign in event. Any ideas?

2 Replies
You could search the logs to see what other accounts have signed in from that IP:

union SigninLogs
| where IPAddress contains "IPHERE"
Thanks Nabilsayeed, that's the puzzle, the only login attempts from that IP for that time period are from the disabled account, I can't find a successful logins from that IP address.