Forum Discussion
Entra ID protection - Integration into Defender XDR
Hi StephanGee,
If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution
Best,Dylan
Hi StephanGee
I just wanted to add, that there is no need for the sentinel integration to get this into your Defender portal.
The detection source is already there, it is shown as "AAD Identity Protection" which can be found with the filter under alerts and incidents.
Hi,
Yes - well, the risky signins has to be tied to a direct incident or alert. a risky signin is often times remediated by a policy, which I would assume that you use.
I can find our risky sign ins if I dig into it, but it's shown like "unfamiliar signin properties" or whatever it was detected as, not as either risky user or risky sign in as that is not really that important to the incident or alert it self.
Just always have to consider if it is really worth it to have it in the XDR portal or not, because "noise" would just contaminate the environment without any real gain from it.
- Thanks Jesper.
I also investigated a while back - but it does not happen for us.
We have an "ongoing" risky user - 5/4/2024 and when i open the user at XDR i get 0 icident/alert for this user. We want to use one portal for all incidents (as this was XDR was built for 😉 )
We block users at medium/high risk and it is our task to investigate and then release the user or force password reset/revoke sessions. So in this case it would be no noise 🙂