[Rule Tuning] Entra ID Protection Sign-in and User Risk Detection Rules - Filter Remediated Risk States (#5535)

Fixes #5534

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2025/04/29"
 integration = ["azure"]
 maturity = "production"
 promotion = true
-updated_date = "2025/09/08"
+updated_date = "2026/01/07"
 
 [rule]
 author = ["Elastic"]
@@ -95,7 +95,10 @@ type = "query"
 query = '''
 event.dataset: "azure.identity_protection" and
     event.action: "User Risk Detection" and
-    azure.identityprotection.properties.activity: "signin"
+    azure.identityprotection.properties.activity: "signin" and
+    not azure.identityprotection.properties.risk_state: (
+        "remediated" or "dismissed" or "confirmedSafe"
+    )
 '''
 
 

rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2025/06/02"
 integration = ["azure"]
 maturity = "production"
 promotion = true
-updated_date = "2025/09/08"
+updated_date = "2026/01/07"
 
 [rule]
 author = ["Elastic"]
@@ -91,8 +91,11 @@ type = "query"
 
 query = '''
 event.dataset: "azure.identity_protection" and
-    event.action: "User Risk Detection" and
-    azure.identityprotection.properties.activity: "user"
+    event.action: ("User Risk Detection" or "Risky user") and
+    azure.identityprotection.properties.activity: "user" and
+    not azure.identityprotection.properties.risk_state: (
+        "remediated" or "dismissed" or "confirmedSafe"
+    )
 '''