users accessing their accounts from anonymized ip addresses, such as vpns or tor, may trigger this rule. if this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or ip ranges.

t1071
t1078
t1110
t1556
azure
elastic

Techniques

T1071
T1078
T1110
T1556

Sample rules

source: elastic
technicques:
- T1071
- T1078
- T1110
- T1556

Description

Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in activity such as anonymized IP addresses, unlikely travel, password spray, and more.

Detection logic

event.dataset: "azure.identity_protection" and
    event.action: "User Risk Detection" and
    azure.identityprotection.properties.activity: "signin"

Entra ID Protection - Risk Detection - User Risk

source: elastic
technicques:
- T1071
- T1078
- T1110
- T1556

Description

Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and more.

Detection logic

event.dataset: "azure.identity_protection" and
    event.action: "User Risk Detection" and
    azure.identityprotection.properties.activity: "user"

Techniques

Sample rules

Entra ID Protection - Risk Detection - Sign-in Risk

Description

Detection logic

Entra ID Protection - Risk Detection - User Risk

Description

Detection logic