Updated the CorrelateIPC_Unfamiliar-Atypical rule for Microsoft Entra ID Protection

[v-kasghosh]

Change(s):

• Updated the CorrelateIPC_Unfamiliar-Atypical rule for Microsoft Entra ID Protection

Reason for Change(s):

• False Positives from "Correlate Unfamiliar sign-in properties & atypical travel alerts" When Changing User Risk #11510

Version Updated:

• 1.0.9
• 3.0.4

Testing Completed:

[contentautomationbot]

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the Microsoft Entra ID Protection solution to a new version and refines the CorrelateIPC_Unfamiliar-Atypical analytic rule query logic.

Changes:

• Added a new 3.0.4 entry to the solution release notes.
• Updated the CorrelateIPC_Unfamiliar-Atypical analytic rule (v1.0.9) to parse Comments and filter out certain “admin” risk details.
• Updated the KQL validation custom table schema to use AccountUPN.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

File	Description
Solutions/Microsoft Entra ID Protection/ReleaseNotes.md	Adds the 3.0.4 release note entry for the updated analytic rule.
Solutions/Microsoft Entra ID Protection/Package/mainTemplate.json	Version bumps and template text updates (skipped from detailed review per repo guidelines for Solutions/**/Package/**).
Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml	Updates the detection query to extract/filter RiskDetail and bumps rule version to 1.0.9.
.script/tests/KqlvalidationsTests/CustomTables/IdentityInfo.json	Aligns the test schema column name with AccountUPN.