Forum Discussion
Sentinel missing Entra ID risky user
Greetings I feel I need to get some input on a serious omission I came across today on Sentinels part. A user had somehow gone fed up with MFA notifications on the Microsoft Authenticator, we use nu...
The data connector will populate the ADDUSerRIskEvents table, like you just saw. If you look at the "Microsoft Entra ID" data connector, you will see the listing of tables that it will populate. The only way you would be notified about the event is if you have an Analytic Rule to query this table for the event.
- I get it and I have a few NRT rules that query the SigninLogs table and others for events related to user risk but to me it seems like a faulty design when not even the native Microsoft Entra ID protection analtyics rule generate an incident in Sentinel.
