@odweik :
Sign-ins from IPs that attempt sign-ins to disabled accounts -- incident reported in sentinel.
Reviewed the latest incident and investigated on the same, this incident is reported for only one user. Evaluated the Azure AD sign logs for the same and noticed the user has been disabled in Nov 2021 and also three devices are associated with the user account which are Azure AD registered.
Action plan: Suggested to review the devices which are listed under the user account and investigate the same, delete the devices which are not in use by the user if those devices are used by multiple users check for inactive session/cached credentials for the deleted user ( user reported by sentinel incident ).
Reference articles related to Azure Identity protection:
https://azure.microsoft.com/en-in/services/active-directory/security/#features
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.