So, we have been fetching the Defender for Identity and all other defender alerts using the Security graph API and sending it to our SIEM platform. Since the result is json, it is easy to parse and work with until i noticed the defender for Identity alerts fetched from the graph API doesn't have "Entity" information like "Hostname" or "AccountName" as a separate key.
To find which entity the alert was triggered for, we need to look into a key called "description" on the json message. The description message looks something like this.
There were attempts to authenticate from CLIENT2 against DC1 using an unusual protocol implementation. May be a result of malicious tools used to execute attacks such as WannaCry. externalId
I recall these were present in the logs as a separate key previously.
On top of that, This is what microsoft ask users to follow this approach.
When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.
But the logs we fetch form the Security API doesnot have the external IDs in it at all.