« Microsoft Entra ID OAuth Phishing via Visual Studio Code Client Microsoft Entra ID Rare Authentication Requirement for Principal User »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

Microsoft Entra ID Protection - Risk Detections

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Microsoft Entra ID Protection - Risk Detections

edit

Identifies Microsoft Entra ID Protection sign-in risk detections triggered by a range of risk events such as anonymized IP addresses, password spray attacks, impossible travel, token anomalies, and more. These detections are often early indicators of potential account compromise or malicious sign-in behavior. This is a promotion rule intended to surface all Entra ID sign-in risk events for further investigation and correlation with other identity-related activity. This is a building block rule that is used to collect all Microsoft Entra ID Protection sign-in or user risk detections. It is not intended to be used as a standalone detection.

Rule type: query

Rule indices:

  • logs-azure.identity_protection-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: Azure
  • Data Source: Microsoft Entra ID
  • Data Source: Microsoft Entra ID Protection
  • Data Source: Microsoft Entra ID Protection Logs
  • Use Case: Identity and Access Audit
  • Use Case: Threat Detection
  • Rule Type: BBR

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Rule query

edit
event.dataset: "azure.identity_protection"
« Microsoft Entra ID OAuth Phishing via Visual Studio Code Client Microsoft Entra ID Rare Authentication Requirement for Principal User »