LoFP LoFP / azure tenant

TitleTags
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
administrators may legitimately create azure automation accounts. filter as needed.
administrators may legitimately create azure automation runbooks. filter as needed.
administrators may legitimately create azure runbook webhooks. filter as needed.
false positives may occur if users are granting consents as part of legitimate application integrations or setups. it is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.
legitimate applications may be granted tenant wide consent, filter as needed.
legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization
rapid authentication from the same user using more than 5 different user agents and 3 application ids is highly unlikely under normal circumstances. however, there are potential scenarios that could lead to false positives.
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.
update_known_false_positives
users may deny consent for legitimate applications by mistake, filter as needed.
users may register mfa methods legitimally, investigate and filter as needed.