Multiple Microsoft Entra ID Protection Alerts by User Principal

Last updated 14 days ago on 2025-04-30

Created 14 days ago on 2025-04-30

About

Identifies more than two Microsoft Entra ID Protection alerts associated to the user principal in a short time period. Microsoft Entra ID Protection alerts are triggered by suspicious sign-in activity, such as anomalous IP addresses, risky sign-ins, or other risk detections. Multiple alerts in a short time frame may indicate an ongoing attack or compromised account.

Tags

Domain: CloudData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Protection LogsUse Case: Identity and Access AuditTactic: Initial AccessLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.identity_protection-*
Related Integrations: azure(opens in a new tab or window)
Query

sequence by azure.identityprotection.properties.user_principal_name with maxspan=10m
[any where event.module == "azure" and event.dataset == "azure.identity_protection"] with runs=2

Install detection rules in Elastic Security

Detect Multiple Microsoft Entra ID Protection Alerts by User Principal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).