Failed Login Alert for Azure Application
I am thinking of a best way to be alerted for some sign in attempt criteria for my Azure AD which includes the Enterprise Application where we are using Azure AD as SSO to login to other system like Atlassian, Office.com, AWS, etc.
I started shipping the logs from Azure AD to Azure Log Analytics Workspace, but having problem in specifying the correct query for me to create an alert. I am after with the below trigger.
10 Failed Login attempts in period of 10secs.
20 Consecutive failed logins attempts.
Login form the hostile country like Russia, North Korea, etc.
Anyone can able to assist me with the right approach I need to do on this?