diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 145fc4c95..9d467e9ed 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/29" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/09/08" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -95,7 +95,10 @@ type = "query" query = ''' event.dataset: "azure.identity_protection" and event.action: "User Risk Detection" and - azure.identityprotection.properties.activity: "signin" + azure.identityprotection.properties.activity: "signin" and + not azure.identityprotection.properties.risk_state: ( + "remediated" or "dismissed" or "confirmedSafe" + ) ''' diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index 9e2598dbc..e70380965 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/06/02" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/09/08" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -91,8 +91,11 @@ type = "query" query = ''' event.dataset: "azure.identity_protection" and - event.action: "User Risk Detection" and - azure.identityprotection.properties.activity: "user" + event.action: ("User Risk Detection" or "Risky user") and + azure.identityprotection.properties.activity: "user" and + not azure.identityprotection.properties.risk_state: ( + "remediated" or "dismissed" or "confirmedSafe" + ) '''