This detection rule identifies instances where an administrator has manually confirmed a user account or sign-in activity as compromised in Microsoft Entra ID Protection. Such confirmation serves as a definitive high-confidence indicator of account compromise, indicating that immediate investigation and remediation processes should be initiated to secure the affected account and assess potential impacts. The rule operates on Azure identity protection logs collected via the Azure integration and utilizes the KQL query language to detect specific risk details that indicate a confirmation of compromise at either the sign-in or user account level. False positives may arise during security testing when accounts are intentionally marked as compromised, and organizations are advised to adjust rules accordingly to mitigate such scenarios. This rule is crucial for maintaining security within cloud environments, particularly in identity and access audits, and requires comprehensive response strategies to manage confirmed compromises effectively.