Microsoft Entra ID Protection Anonymized IP Risk Detection

Last updated 15 days ago on 2025-04-29

Created 15 days ago on 2025-04-29

About

Identifies Microsoft Entra ID Protection risk detections triggered due to sign-in activity from anonymized IP addresses, which is often associated with Tor exit nodes, proxies, or anonymizing VPNs. This behavior may indicate evasion tactics or account compromise activity.

Tags

Domain: CloudData Source: AzureData Source: Entra IDUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Command and ControlLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Proxy (T1090)(opens in a new tab or window)

False Positive Examples

Users connecting from privacy-focused browsers or corporate VPNs with anonymization may trigger this event. Validate geographic and user-agent patterns for legitimacy.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.identity_protection-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: "azure.identity_protection"
    and event.action: "User Risk Detection"
    and azure.identityprotection.properties.risk_event_type: "anonymizedIPAddress"

Install detection rules in Elastic Security

Detect Microsoft Entra ID Protection Anonymized IP Risk Detection in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).