This analytic rule detects high-risk sign-in attempts to Azure Active Directory (AAD), utilizing outputs from Azure Identity Protection. It identifies such attempts through the UserRiskEvents log category, scrutinizing risk levels categorized as 'high'. The detection logic employs the Azure Monitor for AAD logs ingested via EventHub, enabling immediate identification of potentially compromised accounts. Acknowledging that these flagged events may indicate unauthorized access attempts, this rule is critical for preventing data breaches and safeguarding sensitive resources in the environment. The implementation requires an updated Splunk Add-on for Microsoft Cloud Services and proper Azure AD event ingestion configurations. If false positives occur, they may stem from the inherent design of complex risk algorithms.