The identification of credentials as being at risk is primarily linked to the security implications of authentication attempts. Multiple failed authentication attempts within a short timeframe can indicate that an unauthorized actor is attempting to gain access to a user's account. This pattern suggests that the credentials may have been compromised or are being targeted for unauthorized access.
From a security operations perspective, especially within the framework of Microsoft Defender for Identity, monitoring for such failed attempts is vital. It triggers alerts that can lead to immediate responses, such as account lockouts or prompts for password resets, thereby protecting user accounts from potential breaches.
The other options, while indicative of certain behaviors, do not specifically signal the same immediate level of risk regarding credential compromise. Frequent logins from new devices may be legitimate in some scenarios, and accessing sensitive data without alerts can be part of normal access operations, especially in dynamic work environments. Lastly, not changing passwords for over six months could indicate a lack of good password hygiene, but it doesn't necessarily imply that the credentials are at imminent risk of being exploited.