From 0d366d6a15ee410214c1eb11cd796816e6598306 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Mon, 19 May 2025 13:51:26 -0400
Subject: [PATCH] [New Rule] Microsoft Entra ID Protection - Risk Detections
 (#4725)

* new rule 'Microsoft Entra ID Protection - Risk Detections'

* added timing bypass

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
---
 ...d_identity_protection_risk_detections.toml | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 rules_building_block/entra_id_identity_protection_risk_detections.toml

diff --git a/rules_building_block/entra_id_identity_protection_risk_detections.toml b/rules_building_block/entra_id_identity_protection_risk_detections.toml
new file mode 100644
index 000000000..323f51cf4
--- /dev/null
+++ b/rules_building_block/entra_id_identity_protection_risk_detections.toml
@@ -0,0 +1,48 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2025/05/18"
+integration = ["azure"]
+maturity = "production"
+promotion = true
+updated_date = "2025/05/18"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies Microsoft Entra ID Protection sign-in risk detections triggered by a range of risk events such as anonymized
+IP addresses, password spray attacks, impossible travel, token anomalies, and more. These detections are often early
+indicators of potential account compromise or malicious sign-in behavior. This is a promotion rule intended to surface
+all Entra ID sign-in risk events for further investigation and correlation with other identity-related activity. This is
+a building block rule that is used to collect all Microsoft Entra ID Protection sign-in or user risk detections. It is
+not intended to be used as a standalone detection.
+"""
+from = "now-9m"
+index = ["logs-azure.identity_protection-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft Entra ID Protection - Risk Detections"
+references = [
+    "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection",
+]
+risk_score = 47
+rule_id = "da0d4bae-33ee-11f0-a59f-f661ea17fbcd"
+setup = ""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Protection",
+    "Data Source: Microsoft Entra ID Protection Logs",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Threat Detection",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "azure.identity_protection"
+'''
+