diff --git a/api-reference/beta/resources/riskdetection.md b/api-reference/beta/resources/riskdetection.md
index a67e47acc32..50227f9827f 100644
--- a/api-reference/beta/resources/riskdetection.md
+++ b/api-reference/beta/resources/riskdetection.md
@@ -43,7 +43,7 @@ For more information about risk detection, see [Microsoft Entra ID Protection](/
|lastUpdatedDateTime|DateTimeOffset|Date and time that the risk detection was last updated. |
|location|[signInLocation](signinlocation.md)|Location of the sign-in. |
|requestId|string|Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.|
-|riskEventType|String|The type of risk event detected. The possible values are `adminConfirmedUserCompromised`, `anomalousUserActivity`, `anonymizedIPAddress`, `generic`, `investigationsThreatIntelligence`, `investigationsThreatIntelligenceSigninLinked`,`leakedCredentials`, `maliciousIPAddress`, `maliciousIPAddressValidCredentialsBlockedIP`, `malwareInfectedIPAddress`, `mcasImpossibleTravel`, `mcasSuspiciousInboxManipulationRules`, `suspiciousAPITraffic`, `suspiciousIPAddress`, `unfamiliarFeatures`, `unlikelyTravel`, `userReportedSuspiciousActivity`.
For more information about each value, see [Risk types and detection](/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection).|
+|riskEventType|String|The type of risk event detected. The possible values are `adminConfirmedUserCompromised`, `anomalousUserActivity`, `anonymizedIPAddress`, `generic`, `investigationsThreatIntelligence`, `investigationsThreatIntelligenceSigninLinked`,`leakedCredentials`, `maliciousIPAddress`, `maliciousIPAddressValidCredentialsBlockedIP`, `malwareInfectedIPAddress`, `mcasImpossibleTravel`, `mcasSuspiciousInboxManipulationRules`, `suspiciousAPITraffic`, `suspiciousIPAddress`, `suspiciousSendingPatterns`, `unfamiliarFeatures`, `unlikelyTravel`, `userReportedSuspiciousActivity`.
For more information about each value, see [Risk types and detection](/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection).|
|riskDetail|riskDetail|Details of the detected risk. The possible values are: `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`, `adminConfirmedServicePrincipalCompromised`, `adminDismissedAllRiskForServicePrincipal`, `m365DAdminDismissedDetection`. Note that you must use the `Prefer: include - unknown -enum-members` request header to get the following value(s) in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `adminConfirmedServicePrincipalCompromised` , `adminDismissedAllRiskForServicePrincipal` , `m365DAdminDismissedDetection`.
**Note:** Details for this property are only available for Microsoft Entra ID P2 customers. P1 customers will be returned `hidden`.|
|riskLevel|riskLevel|Level of the detected risk. The possible values are `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
**Note:** Details for this property are only available for Microsoft Entra ID P2 customers. P1 customers will be returned `hidden`.|
|riskState|riskState|The state of a detected risky user or sign-in. The possible values are `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, and `unknownFutureValue`. |
diff --git a/api-reference/v1.0/resources/riskdetection.md b/api-reference/v1.0/resources/riskdetection.md
index d160e3c4d43..d379607d715 100644
--- a/api-reference/v1.0/resources/riskdetection.md
+++ b/api-reference/v1.0/resources/riskdetection.md
@@ -42,7 +42,7 @@ For more information about risk detection, see [Microsoft Entra ID Protection](/
|location|[signInLocation](../resources/signinlocation.md)|Location of the sign-in.|
|requestId|String|Request ID of the sign-in associated with the risk detection. This property is `null` if the risk detection is not associated with a sign-in.|
|riskDetail|riskDetail|Details of the detected risk. The possible values are: `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`, `m365DAdminDismissedDetection`. Note that you must use the `Prefer: include - unknown -enum-members` request header to get the following value(s) in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `m365DAdminDismissedDetection`.|
-|riskEventType|String|The type of risk event detected. The possible values are `adminConfirmedUserCompromised`, `anomalousToken`, `anomalousUserActivity`, `anonymizedIPAddress`, `generic`, `impossibleTravel`, `investigationsThreatIntelligence`, `leakedCredentials`, `maliciousIPAddress`,`malwareInfectedIPAddress`, `mcasSuspiciousInboxManipulationRules`, `newCountry`, `passwordSpray`,`riskyIPAddress`, `suspiciousAPITraffic`, `suspiciousBrowser`,`suspiciousInboxForwarding`, `suspiciousIPAddress`, `tokenIssuerAnomaly`, `unfamiliarFeatures`, `unlikelyTravel`. If the risk detection is a premium detection, will show `generic`.
For more information about each value, see [Risk types and detection](/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection).|
+|riskEventType|String|The type of risk event detected. The possible values are `adminConfirmedUserCompromised`, `anomalousToken`, `anomalousUserActivity`, `anonymizedIPAddress`, `generic`, `impossibleTravel`, `investigationsThreatIntelligence`, `leakedCredentials`, `maliciousIPAddress`,`malwareInfectedIPAddress`, `mcasSuspiciousInboxManipulationRules`, `newCountry`, `passwordSpray`,`riskyIPAddress`, `suspiciousAPITraffic`, `suspiciousBrowser`,`suspiciousInboxForwarding`, `suspiciousIPAddress`, `suspiciousSendingPatterns`, `tokenIssuerAnomaly`, `unfamiliarFeatures`, `unlikelyTravel`. If the risk detection is a premium detection, will show `generic`.
For more information about each value, see [Risk types and detection](/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection).|
|riskLevel|riskLevel|Level of the detected risk. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.|
|riskState|riskState|The state of a detected risky user or sign-in. Possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`.|
|source|String|Source of the risk detection. For example, `activeDirectory`. |
diff --git a/changelog/Microsoft.IdentityProtectionServices.json b/changelog/Microsoft.IdentityProtectionServices.json
index ec430ff2fb4..2dc9149accf 100644
--- a/changelog/Microsoft.IdentityProtectionServices.json
+++ b/changelog/Microsoft.IdentityProtectionServices.json
@@ -1,5 +1,35 @@
{
"changelog": [
+ {
+ "ChangeList": [
+ {
+ "ApiChange": "Property",
+ "ChangedApiName": "riskEventType",
+ "ChangeType": "Addition",
+ "Description": "Added `suspiciousSendingPatterns` as one of the possible values for the **riskEventType** property of the [riskDetection](https://learn.microsoft.com/graph/api/resources/riskdetection?view=graph-rest-beta) resource.",
+ "Target": "riskDetection"
+ }
+ ],
+ "Cloud": "Prod",
+ "Version": "beta",
+ "WorkloadArea": "Identity and access",
+ "SubArea": "Identity and sign-in"
+ },
+ {
+ "ChangeList": [
+ {
+ "ApiChange": "Property",
+ "ChangedApiName": "riskEventType",
+ "ChangeType": "Addition",
+ "Description": "Added `suspiciousSendingPatterns` as one of the possible values for the **riskEventType** property of the [riskDetection](https://learn.microsoft.com/graph/api/resources/riskdetection?view=graph-rest-1.0) resource.",
+ "Target": "riskDetection"
+ }
+ ],
+ "Cloud": "Prod",
+ "Version": "v1.0",
+ "WorkloadArea": "Identity and access",
+ "SubArea": "Identity and sign-in"
+ },
{
"ChangeList": [
{