cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Get the User Risk Score

thomasdefise
Brass Contributor

‎Feb 06 2020 11:53 PM

‎Feb 06 2020 11:53 PM

Get the User Risk Score

Hello,

 

In order to perform some SOAR, I would like to know how I could get the data link from the UEBA.

 

user-page

 

For instance, how I can get:

  • User Threat: Investigation priority
  • User Threat: Identity risk level
  • User Threat: Lateral movement paths
  • User Threat: Alerts

Is it possible using one of Microsoft API? A Logic App Connector?

 

Kind Regards,

 

Thomas

Labels:
2,605 Views
0 Likes
2 Replies
Reply
2 Replies
Banu Jafarli

‎Feb 21 2020 09:56 AM

‎Feb 21 2020 09:56 AM

Re: Get the User Risk Score

@thomasdefise 

 

Hi Thomas, 

 

Are you trying to better understand how to configure each feature or how to send the information to SIEM?

 

0 Likes
Reply
CMcCloud

‎Apr 24 2023 10:05 AM

‎Apr 24 2023 10:05 AM

Re: Get the User Risk Score

Bumping this feature request

- ability to create an MCAS or Sentinel alert based on having access to the Investigation Priority Score.

- The ability to ingest and create a KQL query in Sentinel that is able to query the Investigation Priority Score for any particular user.

The rule available in MCAS for
Investigation priority score increase



is not configurable to set threshold, its instead based on a user moving to top 99% of risky users in the organisation.
This isn't sensitive enough for detecting attacks earlier based on suspicious activities and lower risk scores
0 Likes
Reply