Forum Discussion
Export Active directory Identity protection Risky user events to EventHub/ SIEM
You can use the Graph API endpoints as detailed here: https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta
Thank you VasilMichev , this is great to query Risky user data but I still cannot see away to Stream these events to EventHub when they occurs like for example is possible to Activity Logs or Sign-in logs.
- Franck1304Jun 29, 2020Brass Contributor
I also would like to bring up this topic.
After some research I found out how to stream AAD Audit logs to an Event Hub and eventually import these to a SIEM.
However I can not find a way to stream Sign In and User Risk Events to an EventHub.
Anybody already done this?
Thanks,
Franck- SamiLamppuSep 18, 2020Brass Contributor
Franck1304 @Manuel_DEste
You should be able to do this with the Azure Logic Apps. In a nutshell, you need:
- Use Azure Logic App to query the Identity Protection APIs
- Parse the data if/when needed
- Send the data to the Event Hub. You can verify the data flow with the Event Hub capture feature that is very useful in troubleshooting scenarios.
Tested this scenario today and now IPC events are found from Event Hub. From there you can establish integration with the QRadar / Splunk. In the attached picture there is Event Hub capture file converted from avro to json.