[New Rule] Entra ID Protection Confirmed User Compromise by Admin #5185
Description
We recently added the Microsoft Entra ID Protection - Risk Detections (da0d4bae-33ee-11f0-a59f-f661ea17fbcd) rule as a building-block (BBR) to identify events from Entra ID Protection and flag them accordingly. Since 2025/05/18 we have had roughly ~70k hits across all customers. Of these only < .1% where azure.identityprotection.properties.risk_detail was adminConfirmedSigninCompromised or adminConfirmedUserCompromised and the rest were benign or marked FP.
As a result, we should keep this rule BBR, but create a separate rule to capture confirmed user or sign-in compromises and raise an alert accordingly.