This rule detects a sequence of events in which a Microsoft Entra ID protection alert is followed by an attempt by the same user principal to register a new device. Such behavior could indicate an unauthorized attempt to register a device using a compromised account, which could grant an adversary access to sensitive resources. The detection utilizes Elastic Query Language (EQL) to analyze logs from Azure's identity protection and audit logs, focusing on alerts with a risk score of 73 and a high severity level. The rule also includes specific notes for investigation, potential false positive analysis, and remediation steps in case of confirmed suspicious behavior. The intent of this rule is to ensure awareness around identity and access management issues and enable organizations to respond effectively to possible account compromises.