Forum Discussion
Get the User Risk Score
Hello,
In order to perform some SOAR, I would like to know how I could get the data link from the https://docs.microsoft.com/en-us/cloud-app-security/tutorial-ueba#risk-score.
For instance, how I can get:
- User Threat: Investigation priority
- User Threat: Identity risk level
- User Threat: Lateral movement paths
- User Threat: Alerts
Is it possible using one of Microsoft API? A Logic App Connector?
Kind Regards,
Thomas
2 Replies
- Bumping this feature request
- ability to create an MCAS or Sentinel alert based on having access to the Investigation Priority Score.
- The ability to ingest and create a KQL query in Sentinel that is able to query the Investigation Priority Score for any particular user.
The rule available in MCAS for
Investigation priority score increase
is not configurable to set threshold, its instead based on a user moving to top 99% of risky users in the organisation.
This isn't sensitive enough for detecting attacks earlier based on suspicious activities and lower risk scores Hi Thomas,
Are you trying to better understand how to configure each feature or how to send the information to SIEM?
