Entra ID Protection - Risk Detection - User Risk

Jun 4, 2025 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Entra ID Use Case: Identity and Access Audit Use Case: Threat Detection Use Case: Risk Detection Tactic: Initial Access Resources: Investigation Guide ·

Share on:

Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and more.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/06/02"
  3integration = ["azure"]
  4maturity = "production"
  5promotion = true
  6updated_date = "2025/06/02"
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk
 12activity such as anonymized IP addresses, unlikely travel, password spray, and more.
 13"""
 14false_positives = [
 15    """
 16    Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is
 17    expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP
 18    ranges.
 19    """,
 20    """
 21    Users who frequently travel or access their accounts from different geographic locations may trigger this rule due
 22    to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding
 23    exceptions for specific users.
 24    """,
 25    """
 26    Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism.
 27    If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
 28    """,
 29]
 30from = "now-9m"
 31index = ["filebeat-*", "logs-azure.identity_protection-*"]
 32language = "kuery"
 33license = "Elastic License v2"
 34max_signals = 1000
 35name = "Entra ID Protection - Risk Detection - User Risk"
 36note = """## Triage and analysis
 37
 38This rule detects user risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts.
 39
 40### Possible investigation steps
 41
 42- Review the `azure.identityprotection.properties.risk_event_type` field to understand the specific risk event type detected.
 43- Check the `azure.identityprotection.properties.risk_level` field to determine the severity of the risk event.
 44- Check the `azure.identityprotection.properties.risk_detail` field for additional context on the risk event.
 45- Review the `azure.correlation_id` field to correlate this event with other related events in your environment.
 46- Review the `azure.identityprotection.properties.additional_info` field for any additional information provided by Entra ID Protection.
 47- Review the `azure.identityprotection.properties.detection_timing_type` field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment.
 48- Check the `azure.identityprotection.properties.user_principal_name` field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns.
 49
 50### False positive analysis
 51
 52- Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges.
 53- Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
 54- Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
 55
 56### Response and remediation
 57- Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior.
 58- If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily.
 59- Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access.
 60- Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations.
 61- Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts.
 62- Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation.
 63"""
 64references = [
 65    "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection",
 66    "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/",
 67]
 68risk_score = 73
 69rule_id = "4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd"
 70setup = """#### Required Microsoft Entra ID Protection Logs
 71To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration.
 72
 73### Additional notes
 74
 75For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 76"""
 77severity = "high"
 78tags = [
 79    "Domain: Cloud",
 80    "Domain: Identity",
 81    "Data Source: Azure",
 82    "Data Source: Entra ID",
 83    "Use Case: Identity and Access Audit",
 84    "Use Case: Threat Detection",
 85    "Use Case: Risk Detection",
 86    "Tactic: Initial Access",
 87    "Resources: Investigation Guide",
 88]
 89timestamp_override = "event.ingested"
 90type = "query"
 91
 92query = '''
 93event.dataset: "azure.identity_protection" and
 94    event.action: "User Risk Detection" and
 95    azure.identityprotection.properties.activity: "user"
 96'''
 97
 98
 99[[rule.severity_mapping]]
100field = "azure.identityprotection.properties.risk_level"
101operator = "equals"
102severity = "high"
103value = "high"
104
105[[rule.severity_mapping]]
106field = "azure.identityprotection.properties.risk_level"
107operator = "equals"
108severity = "medium"
109value = "medium"
110
111[[rule.severity_mapping]]
112field = "azure.identityprotection.properties.risk_level"
113operator = "equals"
114severity = "low"
115value = "low"
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1078"
121name = "Valid Accounts"
122reference = "https://attack.mitre.org/techniques/T1078/"
123[[rule.threat.technique.subtechnique]]
124id = "T1078.004"
125name = "Cloud Accounts"
126reference = "https://attack.mitre.org/techniques/T1078/004/"
127
128
129
130[rule.threat.tactic]
131id = "TA0001"
132name = "Initial Access"
133reference = "https://attack.mitre.org/tactics/TA0001/"
134[[rule.threat]]
135framework = "MITRE ATT&CK"
136[[rule.threat.technique]]
137id = "T1110"
138name = "Brute Force"
139reference = "https://attack.mitre.org/techniques/T1110/"
140[[rule.threat.technique.subtechnique]]
141id = "T1110.003"
142name = "Password Spraying"
143reference = "https://attack.mitre.org/techniques/T1110/003/"
144
145[[rule.threat.technique]]
146id = "T1556"
147name = "Modify Authentication Process"
148reference = "https://attack.mitre.org/techniques/T1556/"
149
150
151
152
153[rule.threat.tactic]
154id = "TA0006"
155name = "Credential Access"
156reference = "https://attack.mitre.org/tactics/TA0006/"
157
158[[rule.threat]]
159framework = "MITRE ATT&CK"
160[[rule.threat.technique]]
161id = "T1071"
162name = "Application Layer Protocol"
163reference = "https://attack.mitre.org/techniques/T1071/"
164
165
166[rule.threat.tactic]
167id = "TA0011"
168name = "Command and Control"
169reference = "https://attack.mitre.org/tactics/TA0011/"
170
171[rule.investigation_fields]
172field_names = [
173    "@timestamp",
174    "event.action",
175    "azure.identityprotection.properties.risk_event_type",
176    "azure.identityprotection.properties.risk_level",
177    "azure.identityprotection.properties.risk_detail",
178    "azure.identityprotection.properties.user_principal_name",
179    "azure.identityprotection.properties.user_display_name",
180    "azure.identityprotection.properties.risk_state",
181    "azure.identityprotection.properties.risk_type",
182    "azure.identityprotection.properties.risk_reasons",
183    "azure.identityprotection.properties.ip_address",
184    "azure.identityprotection.properties.location",
185    "azure.identityprotection.properties.detection_timing_type",
186]

Triage and analysis

This rule detects user risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts.

Possible investigation steps

Review the azure.identityprotection.properties.risk_event_type field to understand the specific risk event type detected.
Check the azure.identityprotection.properties.risk_level field to determine the severity of the risk event.
Check the azure.identityprotection.properties.risk_detail field for additional context on the risk event.
Review the azure.correlation_id field to correlate this event with other related events in your environment.
Review the azure.identityprotection.properties.additional_info field for any additional information provided by Entra ID Protection.
Review the azure.identityprotection.properties.detection_timing_type field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment.
Check the azure.identityprotection.properties.user_principal_name field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns.

False positive analysis

Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges.
Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.

Response and remediation

Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior.
If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily.
Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access.
Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations.
Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts.
Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation.

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Learn about risk detections, risk levels, and how they map to risk event types in Microsoft Entra ID Protection

Read More
New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | Microsoft Security Blog

Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.

Read More