We are using the out of the box "Sign-ins from IPs that attempt sign-ins to disabled accounts" analytic provided by Microsoft.
Some of the resulting incidents make sense. For example, a user is returning from LOA. They try to login but their account has not yet been re-enabled. They call the Service Desk. It get re-enabled. They log in.
Others do not see to make sense. The account is disabled because the user is no longer with the company. We can see in ADAudit that the account in the Event details was not re-enabled after their disablement. Also, Azure AD's sign ins shows no successful logon after the failed logon when filtering by the IP in the alert. The only think I can think of is maybe one last successful logon to their end user devices where their password is cached, but I am not certain where to look to prove that out.
Questions:
1. Where do I see more about that success that Sentinel is alerting on?
2. Has anyone experienced this with the out of the box "Sign-ins from IPs that attempt sign-ins to disabled accounts" analytic? Is there something I am overlooking, or does the analytic have a bug built into the query that I need to correct?