users connecting from privacy-focused browsers or corporate vpns with anonymization may trigger this event. validate geographic and user-agent patterns for legitimacy.

t1090
azure
elastic

Techniques

T1090

Sample rules

Microsoft Entra ID Protection Anonymized IP Risk Detection

source: elastic
technicques:
- T1090

Description

Identifies Microsoft Entra ID Protection risk detections triggered due to sign-in activity from anonymized IP addresses, which is often associated with Tor exit nodes, proxies, or anonymizing VPNs. This behavior may indicate evasion tactics or account compromise activity.

Detection logic

event.dataset: "azure.identity_protection"
    and event.action: "User Risk Detection"
    and azure.identityprotection.properties.risk_event_type: "anonymizedIPAddress"