administrators may mark accounts as compromised during security testing or incident response exercises. if this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific test accounts.

t1078
azure
elastic

Techniques

T1078

Sample rules

Entra ID Protection Admin Confirmed Compromise

source: elastic
technicques:
- T1078

Description

Identifies when an administrator has manually confirmed a user or sign-in as compromised in Microsoft Entra ID Protection. This indicates that an administrator has reviewed the risk detection and determined that the user account or sign-in activity is definitively compromised. This is a high-confidence indicator of account compromise and should be investigated immediately.

Detection logic

event.dataset: azure.identity_protection and
    azure.identityprotection.properties.risk_detail: (
        "adminConfirmedSigninCompromised" or
        "adminConfirmedUserCompromised"
    )