This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Ingest Entra ID Identity Protection Alerts into SIEM

Posted on 09-10-2024 04:36 AM
RobinK
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone,

Does anyone has experience in ingesting Entra ID Identity Protection Alerts (IdentityRiskEvent and IdentityRiskyUser) into SecOps SIEM? I only found the log type "MICROSOFT_IDENTITY_PROTECTION", which unfortunately does not have a parser and the integration in SecOps SOAR called "Azure AD Identity Protection". 

Am I able to see those events through the Feed "Microsoft Graph Security API alert"? I am currently trying to set this feed up.

Thanks in advance.

Solved Solved
0 4 587
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
RobinK
Bronze 2
Bronze 2
In response to dnehoda
Reply posted on --/--/---- --:-- AM

Yes, it seems that "Entra ID Identity Protection" is not available via "Microsoft Graph Security API", when I look at the MS documentation.

Do you have any preferred way to ingest data from an API into SecOps SIEM, for which there is no 3rd-party-API Feed?

Thank you, Robin

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hello Robin, 

A teammate of mine has written a 3 blog series for this.   There's also another about Graph API below.   

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and...

https://www.googlecloudcommunity.com/gc/Community-Blog/Gaining-Greater-Visibility-with-Microsoft-Gra...

 

Jump to Solution

Posted on --/--/---- --:-- AM
RobinK
Bronze 2
Bronze 2
In response to dnehoda
Reply posted on --/--/---- --:-- AM

Hello dnehoda,

Thank you for sharing these blogs with me. They were interesting to read. Unfortunately they are both not quite what I was looking for, even though they target topics close to what I need.

We already have the Entra ID Feeds in use. In my case I am looking for "Entra ID Identity Protection", but it seems that there is no parser built for yet.

The second blog is about "Microsoft Graph API Activity Logs", wheras I was looking for "Microsoft Graph Security API Alerts". Does someone has any information about, if one can access "Entra ID Identity Protection" logs via this "Microsoft Graph Security API Alerts"?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to RobinK
Reply posted on --/--/---- --:-- AM
Okay great! Graph will only give you alerts - but not sure which products
are all exposed with that. Sounds like a MS question.

If your logs are coming into SecOps raw, you could build an extension.

Thank you,
DN
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
RobinK
Bronze 2
Bronze 2
In response to dnehoda
Reply posted on --/--/---- --:-- AM

Yes, it seems that "Entra ID Identity Protection" is not available via "Microsoft Graph Security API", when I look at the MS documentation.

Do you have any preferred way to ingest data from an API into SecOps SIEM, for which there is no 3rd-party-API Feed?

Thank you, Robin

Jump to Solution
0 Likes
Top Solution Authors
View all