While reviewing the alerts for the Microsoft Defender for Cloud integration, we notice several alerts providing recommendations on actions to take to improve security in Defender for Cloud. These alerts include descriptions such as:
"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources. These accounts can be targets for attackers looking to find ways to access your data without being noticed."
Red Canary Integrations
Microsoft Defender for Cloud
This is intended behavior we expected to ingest this alerts and we will mark them as no a threat. These alerts do not indicate a threat, just that an asset is in a risky state.
Working as intended.