We would expect an alert for suspicious login attempts where the password succeeds, but the sign-in is halted by MFA.

Problem: Current alerts fire only on successful sign-ins.

Need: Successfully providing a password means a valid credential pair (UN/PW) is compromised, necessitating password rotation, even if MFA blocked the access.

Actual Example: A login attempt for an identity from an unusual location using an "axios" user agent provided the correct password but failed due to MFA not being completed. There was no alert/investigation.