Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Entra ID protection - Integration into Defender XDR

Steel Contributor

Hi everyone,

 

is it possible to integrate this into Defender? Or is there a hunt or Cloud App Policy that will trigger an Alert in Defender Portal?

 

BR

Stephan

7 Replies
best response confirmed by StephanGee (Steel Contributor)
Solution

Hi @StephanGee,

If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution 


Best,

Dylan

Thanks Dylan. At this moment we only use the "free" sources for Sentinel. But if only the "alerts" will come in - the costs won't be high. I will enable it - thank you for pointing that out.

Hi @StephanGee 

 

I just wanted to add, that there is no need for the sentinel integration to get this into your Defender portal.

 

The detection source is already there, it is shown as "AAD Identity Protection" which can be found with the filter under alerts and incidents.

 

JesperRaarup_0-1715030674973.png

 

Yes that is what i would expect but the last "risky signins" did not show up @ Defender XDR

@StephanGee 

 

Hi, 

 

Yes - well, the risky signins has to be tied to a direct incident or alert. a risky signin is often times remediated by a policy, which I would assume that you use.

 

I can find our risky sign ins if I dig into it, but it's shown like "unfamiliar signin properties" or whatever it was detected as, not as either risky user or risky sign in as that is not really that important to the incident or alert it self. 

 

Just always have to consider if it is really worth it to have it in the XDR portal or not, because "noise" would just contaminate the environment without any real gain from it. 

Thanks Jesper.
I also investigated a while back - but it does not happen for us.
We have an "ongoing" risky user - 5/4/2024 and when i open the user at XDR i get 0 icident/alert for this user. We want to use one portal for all incidents (as this was XDR was built for ;) )
We block users at medium/high risk and it is our task to investigate and then release the user or force password reset/revoke sessions. So in this case it would be no noise :)

@JesperRaarup ,

 

  • Currently we are not seeing any Microsoft Entra ID Protection alerts in defender portal. But we can see Anonymous IP address in Microsoft Entra admin center"

In Settings -> Microsoft Defender XDR ->Alert service settings -> Microsoft Entra ID protection -> "All Alerts" is already selected.

How to get "Microsoft Entra ID Protection" alerts in Defender portal?  Do we have to do any other configuration?

1 best response

Accepted Solutions
best response confirmed by StephanGee (Steel Contributor)
Solution

Hi @StephanGee,

If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution 


Best,

Dylan

View solution in original post