Apr 26 2024 03:56 AM
Hi everyone,
is it possible to integrate this into Defender? Or is there a hunt or Cloud App Policy that will trigger an Alert in Defender Portal?
BR
Stephan
Apr 26 2024 10:49 AM
SolutionHi @StephanGee,
If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution
Best,
Dylan
Apr 26 2024 10:53 AM
May 06 2024 02:29 PM - edited May 06 2024 02:31 PM
Hi @StephanGee
I just wanted to add, that there is no need for the sentinel integration to get this into your Defender portal.
The detection source is already there, it is shown as "AAD Identity Protection" which can be found with the filter under alerts and incidents.
May 06 2024 10:29 PM
May 07 2024 02:59 PM
Hi,
Yes - well, the risky signins has to be tied to a direct incident or alert. a risky signin is often times remediated by a policy, which I would assume that you use.
I can find our risky sign ins if I dig into it, but it's shown like "unfamiliar signin properties" or whatever it was detected as, not as either risky user or risky sign in as that is not really that important to the incident or alert it self.
Just always have to consider if it is really worth it to have it in the XDR portal or not, because "noise" would just contaminate the environment without any real gain from it.
May 10 2024 06:33 AM
Apr 26 2024 10:49 AM
SolutionHi @StephanGee,
If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution
Best,
Dylan