Microsoft Entra ID Protection - Risk Detections

Last updated 18 days ago on 2025-05-18

Created 18 days ago on 2025-05-18

About

Identifies Microsoft Entra ID Protection sign-in risk detections triggered by a range of risk events such as anonymized IP addresses, password spray attacks, impossible travel, token anomalies, and more. These detections are often early indicators of potential account compromise or malicious sign-in behavior. This is a promotion rule intended to surface all Entra ID sign-in risk events for further investigation and correlation with other identity-related activity. This is a building block rule that is used to collect all Microsoft Entra ID Protection sign-in or user risk detections. It is not intended to be used as a standalone detection.

Tags: Domain: CloudData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID ProtectionData Source: Microsoft Entra ID Protection LogsUse Case: Identity and Access AuditUse Case: Threat DetectionRule Type: BBRLanguage: kuery
Severity: medium
Risk Score: 47
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.identity_protection-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: "azure.identity_protection"

Install detection rules in Elastic Security

Detect Microsoft Entra ID Protection - Risk Detections in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).