Techniques
Sample rules
Microsoft Entra ID Protection Anonymized IP Risk Detection
- source: elastic
- technicques:
- T1090
Description
Identifies Microsoft Entra ID Protection risk detections triggered due to sign-in activity from anonymized IP addresses, which is often associated with Tor exit nodes, proxies, or anonymizing VPNs. This behavior may indicate evasion tactics or account compromise activity.
Detection logic
event.dataset: "azure.identity_protection"
and event.action: "User Risk Detection"
and azure.identityprotection.properties.risk_event_type: "anonymizedIPAddress"