I've received a high risk alert for a user, but I'm unable to work out where this happened i.e. from SaaS or an desktop/mobile app; and more importantly at what point did the MFA failure happen.
Specifically I'd like to know whether this happened after a correct password entry.