Forum Discussion
Entra ID protection - Integration into Defender XDR
Hi everyone,
is it possible to integrate this into Defender? Or is there a hunt or Cloud App Policy that will trigger an Alert in Defender Portal?
BR
Stephan
Hi StephanGee,
If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution
Best,Dylan
Hi StephanGee,
If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution
Best,Dylan
- Thanks Dylan. At this moment we only use the "free" sources for Sentinel. But if only the "alerts" will come in - the costs won't be high. I will enable it - thank you for pointing that out.
Hi StephanGee
I just wanted to add, that there is no need for the sentinel integration to get this into your Defender portal.
The detection source is already there, it is shown as "AAD Identity Protection" which can be found with the filter under alerts and incidents.
- Yes that is what i would expect but the last "risky signins" did not show up @ Defender XDR
Hi,
Yes - well, the risky signins has to be tied to a direct incident or alert. a risky signin is often times remediated by a policy, which I would assume that you use.
I can find our risky sign ins if I dig into it, but it's shown like "unfamiliar signin properties" or whatever it was detected as, not as either risky user or risky sign in as that is not really that important to the incident or alert it self.
Just always have to consider if it is really worth it to have it in the XDR portal or not, because "noise" would just contaminate the environment without any real gain from it.
- Currently we are not seeing any Microsoft Entra ID Protection alerts in defender portal. But we can see Anonymous IP address in Microsoft Entra admin center"
In Settings -> Microsoft Defender XDR ->Alert service settings -> Microsoft Entra ID protection -> "All Alerts" is already selected.
How to get "Microsoft Entra ID Protection" alerts in Defender portal? Do we have to do any other configuration?
- We are still having the issue. The last days we did not even get a mail notification if a risky user was detected.
This must be fixed somehow.
