From 7b4611713b5745cc1a29e6ea59ee65df7925ffb2 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri, 9 Jan 2026 11:27:52 -0500 Subject: [PATCH] [Rule Tuning] Entra ID Protection Sign-in and User Risk Detection Rules - Filter Remediated Risk States (#5535) Fixes #5534 Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...access_entra_id_protection_sign_in_risk_detected.toml | 7 +++++-- ...al_access_entra_id_protection_user_risk_detected.toml | 9 ++++++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 145fc4c95..9d467e9ed 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/29" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/09/08" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -95,7 +95,10 @@ type = "query" query = ''' event.dataset: "azure.identity_protection" and event.action: "User Risk Detection" and - azure.identityprotection.properties.activity: "signin" + azure.identityprotection.properties.activity: "signin" and + not azure.identityprotection.properties.risk_state: ( + "remediated" or "dismissed" or "confirmedSafe" + ) ''' diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index 9e2598dbc..e70380965 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/06/02" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/09/08" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -91,8 +91,11 @@ type = "query" query = ''' event.dataset: "azure.identity_protection" and - event.action: "User Risk Detection" and - azure.identityprotection.properties.activity: "user" + event.action: ("User Risk Detection" or "Risky user") and + azure.identityprotection.properties.activity: "user" and + not azure.identityprotection.properties.risk_state: ( + "remediated" or "dismissed" or "confirmedSafe" + ) '''