Ingest Entra ID Identity Protection Alerts into SIEM

Hi everyone,

Does anyone has experience in ingesting Entra ID Identity Protection Alerts (IdentityRiskEvent and IdentityRiskyUser) into SecOps SIEM? I only found the log type "MICROSOFT_IDENTITY_PROTECTION", which unfortunately does not have a parser and the integration in SecOps SOAR called "Azure AD Identity Protection". 

Am I able to see those events through the Feed "Microsoft Graph Security API alert"? I am currently trying to set this feed up.

Thanks in advance.

Solved Solved
0 4 587
1 ACCEPTED SOLUTION

Yes, it seems that "Entra ID Identity Protection" is not available via "Microsoft Graph Security API", when I look at the MS documentation.

Do you have any preferred way to ingest data from an API into SecOps SIEM, for which there is no 3rd-party-API Feed?

Thank you, Robin

View solution in original post

4 REPLIES 4

Hello dnehoda,

Thank you for sharing these blogs with me. They were interesting to read. Unfortunately they are both not quite what I was looking for, even though they target topics close to what I need.

We already have the Entra ID Feeds in use. In my case I am looking for "Entra ID Identity Protection", but it seems that there is no parser built for yet.

The second blog is about "Microsoft Graph API Activity Logs", wheras I was looking for "Microsoft Graph Security API Alerts". Does someone has any information about, if one can access "Entra ID Identity Protection" logs via this "Microsoft Graph Security API Alerts"?

Okay great! Graph will only give you alerts - but not sure which products
are all exposed with that. Sounds like a MS question.

If your logs are coming into SecOps raw, you could build an extension.

Thank you,
DN

Yes, it seems that "Entra ID Identity Protection" is not available via "Microsoft Graph Security API", when I look at the MS documentation.

Do you have any preferred way to ingest data from an API into SecOps SIEM, for which there is no 3rd-party-API Feed?

Thank you, Robin