Export Active directory Identity protection Risky user events to EventHub/ SIEM

%3CLINGO-SUB%20id%3D%22lingo-sub-1099231%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20Active%20directory%20Identity%20protection%20Risky%20user%20events%20to%20EventHub%2F%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099231%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20the%20Graph%20API%20endpoints%20as%20detailed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fidentityprotection-root%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fidentityprotection-root%3Fview%3Dgraph-rest-beta%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1107010%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20Active%20directory%20Identity%20protection%20Risky%20user%20events%20to%20EventHub%2F%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1107010%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%2C%20this%20is%20great%20to%20query%20Risky%20user%20data%20but%20I%20still%20cannot%20see%20away%20to%20Stream%20these%20events%20to%20EventHub%20when%20they%20occurs%20like%20for%20example%20is%20possible%20to%20Activity%20Logs%20or%20Sign-in%20logs.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1495604%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20Active%20directory%20Identity%20protection%20Risky%20user%20events%20to%20EventHub%2F%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1495604%22%20slang%3D%22en-US%22%3E%3CP%3EI%20also%20would%20like%20to%20bring%20up%20this%20topic.%3C%2FP%3E%3CP%3EAfter%20some%20research%20I%20found%20out%20how%20to%20stream%20AAD%20Audit%20logs%20to%20an%20Event%20Hub%20and%20eventually%20import%20these%20to%20a%20SIEM.%3C%2FP%3E%3CP%3EHowever%20I%20can%20not%20find%20a%20way%20to%20stream%20Sign%20In%20and%20User%20Risk%20%3CSTRONG%3EEvents%26nbsp%3B%3C%2FSTRONG%3Eto%20an%20EventHub.%3C%2FP%3E%3CP%3EAnybody%20already%20done%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EFranck%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098351%22%20slang%3D%22en-US%22%3EExport%20Active%20directory%20Identity%20protection%20Risky%20user%20events%20to%20EventHub%2F%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098351%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20community%2C%3C%2FP%3E%3CP%3EI%20cannot%20find%20the%20Risky%20user%20events%20%22User%20at%20risk%20detected%22%20on%20Azure%20Activity%20Logs%2C%20Sign-in%20Logs%20or%20Audit%20Logs.%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20these%20events%20being%20logged%20somewhere%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20a%20way%20to%20export%20or%20stream%20this%20type%20of%20events%20to%20EventHub%20so%20I%20can%20then%20pull%20or%20ingest%20the%20events%20into%20a%203rd%20Party%20SIEM%20solution%20(i.e.%20SPlunk%2C%20QRadar)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1098351%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1683140%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20Active%20directory%20Identity%20protection%20Risky%20user%20events%20to%20EventHub%2F%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1683140%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F203532%22%20target%3D%22_blank%22%3E%40Franck%20Marteaux%3C%2FA%3E%26nbsp%3B%3CSPAN%3E%3Ca%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%3E%40Manuel_DEste%3C%2Fa%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EYou%20should%20be%20able%20to%20do%20this%20with%20the%20Azure%20Logic%20Apps.%20In%20a%20nutshell%2C%20you%20need%3A%3C%2FP%3E%3CP%3E-%20Use%20Azure%20Logic%20App%20to%20query%20the%20Identity%20Protection%20APIs%3C%2FP%3E%3CP%3E-%20Parse%20the%20data%20if%2Fwhen%20needed%3C%2FP%3E%3CP%3E-%20Send%20the%20data%20to%20the%20Event%20Hub.%20You%20can%20verify%20the%20data%20flow%20with%20the%20Event%20Hub%20capture%20feature%20that%20is%20very%20useful%20in%20troubleshooting%20scenarios.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETested%20this%20scenario%20today%20and%20now%20IPC%20events%20are%20found%20from%20Event%20Hub.%20From%20there%20you%20can%20establish%20integration%20with%20the%20QRadar%20%2F%20Splunk.%20In%20the%20attached%20picture%20there%20is%20Event%20Hub%20capture%20file%20converted%20from%20avro%20to%20json.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Dear community,

I cannot find the Risky user events "User at risk detected" on Azure Activity Logs, Sign-in Logs or Audit Logs. 

Are these events being logged somewhere?

 

I'm looking for a way to export or stream this type of events to EventHub so I can then pull or ingest the events into a 3rd Party SIEM solution (i.e. SPlunk, QRadar)

 

Thank you for your help!

4 Replies
Highlighted

Thank you @Vasil Michev , this is great to query Risky user data but I still cannot see away to Stream these events to EventHub when they occurs like for example is possible to Activity Logs or Sign-in logs. 

Highlighted

I also would like to bring up this topic.

After some research I found out how to stream AAD Audit logs to an Event Hub and eventually import these to a SIEM.

However I can not find a way to stream Sign In and User Risk Events to an EventHub.

Anybody already done this?

 

Thanks,
Franck

Highlighted

@Franck Marteaux @Manuel_DEste

You should be able to do this with the Azure Logic Apps. In a nutshell, you need:

- Use Azure Logic App to query the Identity Protection APIs

- Parse the data if/when needed

- Send the data to the Event Hub. You can verify the data flow with the Event Hub capture feature that is very useful in troubleshooting scenarios.

 

Tested this scenario today and now IPC events are found from Event Hub. From there you can establish integration with the QRadar / Splunk. In the attached picture there is Event Hub capture file converted from avro to json.