Microsoft Entra ID Protection: Enhanced Detection Logic Filters Out Admin Risk Events

What Changed

The CorrelateIPC_Unfamiliar-Atypical Analytic Rule was updated to version 1.0.9 with improved filtering logic for Microsoft Entra ID Protection alerts.

Detection Logic

The KQL query now extracts and parses the Comments field from atypical travel alerts, specifically filtering out events where the risk detail contains “admin”. The core logic correlates unfamiliar sign-in properties with atypical travel alerts within a configurable time window, but now excludes admin-initiated activities that would otherwise generate false positives.

Security Impact

This update reduces noise in SOC workflows by filtering out legitimate admin activities that trigger atypical travel alerts. Teams running this rule will see fewer false positives from administrative actions while maintaining coverage for genuine suspicious user behavior patterns.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/IdentityInfo.json
Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml
(packaging artefacts: 3.0.4.zip, ReleaseNotes.md, mainTemplate.json)