Skip to main content

Hi everyone,

Does anyone has experience in ingesting Entra ID Identity Protection Alerts (IdentityRiskEvent and IdentityRiskyUser) into SecOps SIEM? I only found the log type "MICROSOFT_IDENTITY_PROTECTION", which unfortunately does not have a parser and the integration in SecOps SOAR called "Azure AD Identity Protection". 

Am I able to see those events through the Feed "Microsoft Graph Security API alert"? I am currently trying to set this feed up.

Thanks in advance.

Hello Robin, 


A teammate of mine has written a 3 blog series for this.   There's also another about Graph API below.   


https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775297


https://www.googlecloudcommunity.com/gc/Community-Blog/Gaining-Greater-Visibility-with-Microsoft-Graph-API-Activity/ba-p/726824


 

Hello Robin, 


A teammate of mine has written a 3 blog series for this.   There's also another about Graph API below.   


https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775297


https://www.googlecloudcommunity.com/gc/Community-Blog/Gaining-Greater-Visibility-with-Microsoft-Graph-API-Activity/ba-p/726824


 


Hello dnehoda,

Thank you for sharing these blogs with me. They were interesting to read. Unfortunately they are both not quite what I was looking for, even though they target topics close to what I need.

We already have the Entra ID Feeds in use. In my case I am looking for "Entra ID Identity Protection", but it seems that there is no parser built for yet.

The second blog is about "Microsoft Graph API Activity Logs", wheras I was looking for "Microsoft Graph Security API Alerts". Does someone has any information about, if one can access "Entra ID Identity Protection" logs via this "Microsoft Graph Security API Alerts"?

Hello dnehoda,

Thank you for sharing these blogs with me. They were interesting to read. Unfortunately they are both not quite what I was looking for, even though they target topics close to what I need.

We already have the Entra ID Feeds in use. In my case I am looking for "Entra ID Identity Protection", but it seems that there is no parser built for yet.

The second blog is about "Microsoft Graph API Activity Logs", wheras I was looking for "Microsoft Graph Security API Alerts". Does someone has any information about, if one can access "Entra ID Identity Protection" logs via this "Microsoft Graph Security API Alerts"?


Okay great! Graph will only give you alerts - but not sure which products
are all exposed with that. Sounds like a MS question.

If your logs are coming into SecOps raw, you could build an extension.

Thank you,
DN
Okay great! Graph will only give you alerts - but not sure which products
are all exposed with that. Sounds like a MS question.

If your logs are coming into SecOps raw, you could build an extension.

Thank you,
DN

Yes, it seems that "Entra ID Identity Protection" is not available via "Microsoft Graph Security API", when I look at the MS documentation.

Do you have any preferred way to ingest data from an API into SecOps SIEM, for which there is no 3rd-party-API Feed?

Thank you, Robin

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.