This detection rule identifies instances of more than two Microsoft Entra ID Protection alerts associated with the same user principal within a brief time span (10 minutes). The alerts are triggered due to suspicious sign-in activities that may indicate account compromise, such as risky logins or unusual IP addresses. By monitoring these alerts, security teams can detect potential ongoing attacks and take necessary actions to investigate and mitigate risks associated with compromised user accounts. The detection utilizes EQL (Event Query Language) to create a sequence of alerts triggered in quick succession. The rule queries logs from various Azure sources, specifically targeting the Microsoft Entra ID Protection logs, which detail instances of identity protection alerts. If multiple alerts are identified, investigators are prompted to verify the risk detection that caused the alerts, validate the legitimacy of the user activity, and communicate with the account owner. Given the potentially urgent nature of the situation — which can lead to credential exposure or lateral movement within the environment — the rule enforces a structured incident response process, emphasizing steps such as account limitation during investigation, credential resets, and evaluating the scope of the incident.