+2Hi everyone,
Does anyone has experience in ingesting Entra ID Identity Protection Alerts (IdentityRiskEvent and IdentityRiskyUser) into SecOps SIEM? I only found the log type "MICROSOFT_IDENTITY_PROTECTION", which unfortunately does not have a parser and the integration in SecOps SOAR called "Azure AD Identity Protection".
Am I able to see those events through the Feed "Microsoft Graph Security API alert"? I am currently trying to set this feed up.
Thanks in advance.
Best answer by RobinK
Yes, it seems that "Entra ID Identity Protection" is not available via "Microsoft Graph Security API", when I look at the MS documentation.
Do you have any preferred way to ingest data from an API into SecOps SIEM, for which there is no 3rd-party-API Feed?
Thank you, Robin
+16Hello Robin,
A teammate of mine has written a 3 blog series for this. There's also another about Graph API below.
+2Hello Robin,
A teammate of mine has written a 3 blog series for this. There's also another about Graph API below.
Hello dnehoda,
Thank you for sharing these blogs with me. They were interesting to read. Unfortunately they are both not quite what I was looking for, even though they target topics close to what I need.
We already have the Entra ID Feeds in use. In my case I am looking for "Entra ID Identity Protection", but it seems that there is no parser built for yet.
The second blog is about "Microsoft Graph API Activity Logs", wheras I was looking for "Microsoft Graph Security API Alerts". Does someone has any information about, if one can access "Entra ID Identity Protection" logs via this "Microsoft Graph Security API Alerts"?
+16Hello dnehoda,
Thank you for sharing these blogs with me. They were interesting to read. Unfortunately they are both not quite what I was looking for, even though they target topics close to what I need.
We already have the Entra ID Feeds in use. In my case I am looking for "Entra ID Identity Protection", but it seems that there is no parser built for yet.
The second blog is about "Microsoft Graph API Activity Logs", wheras I was looking for "Microsoft Graph Security API Alerts". Does someone has any information about, if one can access "Entra ID Identity Protection" logs via this "Microsoft Graph Security API Alerts"?
+2Yes, it seems that "Entra ID Identity Protection" is not available via "Microsoft Graph Security API", when I look at the MS documentation.
Do you have any preferred way to ingest data from an API into SecOps SIEM, for which there is no 3rd-party-API Feed?
Thank you, Robin
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.