[New Rule] Entra ID Protection Admin Confirmed Compromise (#5186)

*Issue link(s)*:
* #5185

<!--
  Add Related Issues / PRs for context. Eg:
    Related to elastic/repo#999
    Resolves #123
  If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->

## Summary - What I changed
Adds a specific detection rule for admin confirmed compromise by Entra ID protection. Relates to BBR rule `Microsoft Entra ID Protection - Risk Detections`. Please see related issue for more details.

<!--
  Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->

## How To Test
Query can be used in TRADE serverless stack.

<!--
  Some examples of what you could include here are:
  * Links to GitHub action results for CI test improvements
  * Sample data before/after screenshots (or short videos showing how something works)
  * Copy/pasted commands and output from the testing you did in your local terminal window
  * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
  * Query used in your stack to verify the change
-->

## Checklist

<!-- Delete any items that are not applicable to this PR. -->

- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation

## Contributor checklist

- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?

Author: terrancedejesus

rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml

@@ -0,0 +1,146 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/10/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when an administrator has manually confirmed a user or sign-in as compromised in Microsoft Entra ID
+Protection. This indicates that an administrator has reviewed the risk detection and determined that the user account or
+sign-in activity is definitively compromised. This is a high-confidence indicator of account compromise and should be
+investigated immediately.
+"""
+false_positives = [
+    """
+    Administrators may mark accounts as compromised during security testing or incident response exercises. If this is
+    expected behavior in your environment, consider adjusting the rule or adding exceptions for specific test accounts.
+    """,
+]
+from = "now-9m"
+index = ["logs-azure.identity_protection-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Entra ID Protection Admin Confirmed Compromise"
+note = """## Triage and analysis
+
+This rule detects when an administrator has manually confirmed a user or sign-in as compromised in Microsoft Entra ID Protection. This is a critical security event that requires immediate investigation and response.
+
+### Possible investigation steps
+
+- Review the `azure.identityprotection.properties.risk_detail` field to determine if the compromise was confirmed at the sign-in level (`adminConfirmedSigninCompromised`) or user level (`adminConfirmedUserCompromised`).
+- Check the `azure.identityprotection.properties.user_principal_name` field to identify the compromised user account.
+- Review the `azure.identityprotection.properties.user_display_name` field for additional user identification information.
+- Examine the `azure.identityprotection.properties.risk_level` field to understand the severity level assigned to the risk event.
+- Check the `azure.identityprotection.properties.risk_state` field to verify the current state of the risk (should be confirmed as compromised).
+- Review the `azure.correlation_id` field to correlate this event with other related security events, including the original risk detections that led to the admin confirmation.
+- Investigate the timeline of events leading up to the admin confirmation by reviewing Entra ID sign-in logs and audit logs for the affected user.
+- Check for any suspicious activities associated with the user account, including:
+    - Unusual sign-in locations or IP addresses
+    - Access to sensitive resources or applications
+    - Changes to user profile, permissions, or MFA settings
+    - Bulk email sending or data exfiltration activities
+- Review the `azure.identityprotection.properties.additional_info` field for any additional context provided by the administrator or Entra ID Protection.
+- Identify which administrator confirmed the compromise by reviewing Entra ID audit logs for risk state changes.
+
+### False positive analysis
+
+- Security testing or penetration testing exercises may result in administrators confirming test accounts as compromised. If this is expected behavior, consider excluding specific test accounts or implementing a testing account naming convention to filter.
+- Incident response drills or tabletop exercises may involve marking accounts as compromised for training purposes. Coordinate with security teams to identify planned exercises.
+
+### Response and remediation
+
+- Immediately reset the password for the compromised user account and require the user to set a new password upon next sign-in.
+- Revoke all active sessions and authentication tokens for the compromised account, including:
+    - Primary refresh tokens (PRTs)
+    - OAuth tokens
+    - Session cookies
+    - Application-specific passwords
+- Review and revoke any suspicious OAuth consent grants or application permissions added by the compromised account.
+- Enable or enforce multi-factor authentication (MFA) for the affected user account if not already enabled.
+- Review all activities performed by the compromised account, including:
+    - Email forwarding rules or inbox rules
+    - File access and downloads
+    - Changes to security settings or permissions
+    - Creation of new users or service principals
+- Assess the scope of the compromise by identifying any lateral movement or privilege escalation activities.
+- Consider disabling the account temporarily until the investigation is complete and all remediation steps are verified.
+- Implement conditional access policies to prevent future compromises, such as requiring MFA from untrusted locations or blocking legacy authentication.
+- Review and strengthen identity protection policies and risk-based conditional access rules.
+- Document the incident, including the timeline, scope of compromise, and remediation actions taken.
+- Conduct a post-incident review to identify gaps in security controls and implement improvements to prevent similar incidents.
+"""
+references = [
+    "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk",
+    "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks",
+    "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection",
+]
+risk_score = 99
+rule_id = "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890"
+setup = """#### Required Microsoft Entra ID Protection Logs
+To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration.
+"""
+severity = "critical"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Entra ID",
+    "Data Source: Entra ID Protection Logs",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: azure.identity_protection and
+    azure.identityprotection.properties.risk_detail: (
+        "adminConfirmedSigninCompromised" or
+        "adminConfirmedUserCompromised"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "event.action",
+    "azure.identityprotection.properties.risk_detail",
+    "azure.identityprotection.properties.risk_level",
+    "azure.identityprotection.properties.risk_state",
+    "azure.identityprotection.properties.risk_event_type",
+    "azure.identityprotection.properties.risk_type",
+    "azure.identityprotection.properties.user_principal_name",
+    "azure.identityprotection.properties.user_display_name",
+    "azure.identityprotection.properties.user_id",
+    "azure.identityprotection.properties.ip_address",
+    "azure.identityprotection.properties.activity",
+    "azure.identityprotection.properties.additional_info",
+    "azure.identityprotection.properties.correlation_id",
+    "azure.correlation_id",
+    "source.ip",
+]
+
+