users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. if this is expected behavior, consider adjusting the rule or adding exceptions for specific users.

t1071
t1078
t1110
t1556
azure
elastic

Techniques

T1071
T1078
T1110
T1556

Sample rules

source: elastic
technicques:
- T1071
- T1078
- T1110
- T1556

Description

Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in activity such as anonymized IP addresses, unlikely travel, password spray, and more.

Detection logic

event.dataset: "azure.identity_protection" and
    event.action: "User Risk Detection" and
    azure.identityprotection.properties.activity: "signin"

Entra ID Protection - Risk Detection - User Risk

source: elastic
technicques:
- T1071
- T1078
- T1110
- T1556

Description

Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and more.

Detection logic

event.dataset: "azure.identity_protection" and
    event.action: "User Risk Detection" and
    azure.identityprotection.properties.activity: "user"

Techniques

Sample rules

Entra ID Protection - Risk Detection - Sign-in Risk

Description

Detection logic

Entra ID Protection - Risk Detection - User Risk

Description

Detection logic