Entra ID Protection - Risk Detection - Sign-in Risk

Jun 4, 2025 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Entra ID Use Case: Identity and Access Audit Use Case: Threat Detection Use Case: Risk Detection Tactic: Initial Access Resources: Investigation Guide ·

Share on:

Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in activity such as anonymized IP addresses, unlikely travel, password spray, and more.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/04/29"
  3integration = ["azure"]
  4maturity = "production"
  5promotion = true
  6updated_date = "2025/05/02"
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in
 12activity such as anonymized IP addresses, unlikely travel, password spray, and more.
 13"""
 14false_positives = [
 15    """
 16    Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is
 17    expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP
 18    ranges.
 19    """,
 20    """
 21    Users who frequently travel or access their accounts from different geographic locations may trigger this rule due
 22    to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding
 23    exceptions for specific users.
 24    """,
 25    """
 26    Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism.
 27    If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
 28    """,
 29]
 30from = "now-9m"
 31index = ["filebeat-*", "logs-azure.identity_protection-*"]
 32language = "kuery"
 33license = "Elastic License v2"
 34max_signals = 1000
 35name = "Entra ID Protection - Risk Detection - Sign-in Risk"
 36note = """## Triage and analysis
 37
 38This rule detects sign-in risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts.
 39
 40### Possible investigation steps
 41
 42- Review the `azure.identityprotection.properties.risk_event_type` field to understand the specific risk event type detected.
 43- Check the `azure.identityprotection.properties.risk_level` field to determine the severity of the risk event.
 44- Check the `azure.identityprotection.properties.risk_detail` field for additional context on the risk event.
 45- Review the `azure.correlation_id` field to correlate this event with other related events in your environment.
 46- Review the `azure.identityprotection.properties.additional_info` field for any additional information provided by Entra ID Protection.
 47- Review the `azure.identityprotection.properties.detection_timing_type` field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment.
 48- Check the `azure.identityprotection.properties.user_principal_name` field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns.
 49
 50### False positive analysis
 51
 52- Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges.
 53- Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
 54- Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
 55
 56### Response and remediation
 57- Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior.
 58- If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily.
 59- Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access.
 60- Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations.
 61- Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts.
 62- Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation.
 63"""
 64references = [
 65    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 66    "https://github.com/dirkjanm/ROADtools",
 67    "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",
 68    "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection",
 69    "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/",
 70]
 71risk_score = 73
 72rule_id = "064a2e08-25da-11f0-b1f1-f661ea17fbcd"
 73setup = """#### Required Microsoft Entra ID Protection Logs
 74To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration.
 75
 76### Additional notes
 77
 78For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 79"""
 80severity = "high"
 81tags = [
 82    "Domain: Cloud",
 83    "Domain: Identity",
 84    "Data Source: Azure",
 85    "Data Source: Entra ID",
 86    "Use Case: Identity and Access Audit",
 87    "Use Case: Threat Detection",
 88    "Use Case: Risk Detection",
 89    "Tactic: Initial Access",
 90    "Resources: Investigation Guide",
 91]
 92timestamp_override = "event.ingested"
 93type = "query"
 94
 95query = '''
 96event.dataset: "azure.identity_protection" and
 97    event.action: "User Risk Detection" and
 98    azure.identityprotection.properties.activity: "signin"
 99'''
100
101
102[[rule.severity_mapping]]
103field = "azure.identityprotection.properties.risk_level"
104operator = "equals"
105severity = "high"
106value = "high"
107
108[[rule.severity_mapping]]
109field = "azure.identityprotection.properties.risk_level"
110operator = "equals"
111severity = "medium"
112value = "medium"
113
114[[rule.severity_mapping]]
115field = "azure.identityprotection.properties.risk_level"
116operator = "equals"
117severity = "low"
118value = "low"
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1078"
124name = "Valid Accounts"
125reference = "https://attack.mitre.org/techniques/T1078/"
126[[rule.threat.technique.subtechnique]]
127id = "T1078.004"
128name = "Cloud Accounts"
129reference = "https://attack.mitre.org/techniques/T1078/004/"
130
131
132
133[rule.threat.tactic]
134id = "TA0001"
135name = "Initial Access"
136reference = "https://attack.mitre.org/tactics/TA0001/"
137[[rule.threat]]
138framework = "MITRE ATT&CK"
139[[rule.threat.technique]]
140id = "T1110"
141name = "Brute Force"
142reference = "https://attack.mitre.org/techniques/T1110/"
143[[rule.threat.technique.subtechnique]]
144id = "T1110.003"
145name = "Password Spraying"
146reference = "https://attack.mitre.org/techniques/T1110/003/"
147
148[[rule.threat.technique]]
149id = "T1556"
150name = "Modify Authentication Process"
151reference = "https://attack.mitre.org/techniques/T1556/"
152
153
154
155
156[rule.threat.tactic]
157id = "TA0006"
158name = "Credential Access"
159reference = "https://attack.mitre.org/tactics/TA0006/"
160
161[[rule.threat]]
162framework = "MITRE ATT&CK"
163[[rule.threat.technique]]
164id = "T1071"
165name = "Application Layer Protocol"
166reference = "https://attack.mitre.org/techniques/T1071/"
167
168
169[rule.threat.tactic]
170id = "TA0011"
171name = "Command and Control"
172reference = "https://attack.mitre.org/tactics/TA0011/"
173
174[rule.investigation_fields]
175field_names = [
176    "@timestamp",
177    "event.action",
178    "azure.identityprotection.properties.risk_event_type",
179    "azure.identityprotection.properties.risk_level",
180    "azure.identityprotection.properties.risk_detail",
181    "azure.identityprotection.properties.user_principal_name",
182    "azure.identityprotection.properties.user_display_name",
183    "azure.identityprotection.properties.risk_state",
184    "azure.identityprotection.properties.risk_type",
185    "azure.identityprotection.properties.risk_reasons",
186    "azure.identityprotection.properties.ip_address",
187    "azure.identityprotection.properties.location",
188    "azure.identityprotection.properties.detection_timing_type",
189]

Triage and analysis

This rule detects sign-in risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts.

Possible investigation steps

Review the azure.identityprotection.properties.risk_event_type field to understand the specific risk event type detected.
Check the azure.identityprotection.properties.risk_level field to determine the severity of the risk event.
Check the azure.identityprotection.properties.risk_detail field for additional context on the risk event.
Review the azure.correlation_id field to correlate this event with other related events in your environment.
Review the azure.identityprotection.properties.additional_info field for any additional information provided by Entra ID Protection.
Review the azure.identityprotection.properties.detection_timing_type field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment.
Check the azure.identityprotection.properties.user_principal_name field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns.

False positive analysis

Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges.
Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.

Response and remediation

Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior.
If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily.
Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access.
Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations.
Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts.
Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation.

References

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...

Read More
GitHub - dirkjanm/ROADtools: A collection of Azure AD/Entra tools for offensive and defensive security purposes

A collection of Azure AD/Entra tools for offensive and defensive security purposes - dirkjanm/ROADtools

Read More
Phishing for Primary Refresh Tokens and Windows Hello keys

In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.

Read More
What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Learn about risk detections, risk levels, and how they map to risk event types in Microsoft Entra ID Protection

Read More
New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | Microsoft Security Blog

Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.

Read More