cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Entra ID protection - Integration into Defender XDR

StephanGee
Steel Contributor

‎Apr 26 2024 03:56 AM

‎Apr 26 2024 03:56 AM

Entra ID protection - Integration into Defender XDR

Hi everyone,

 

is it possible to integrate this into Defender? Or is there a hunt or Cloud App Policy that will trigger an Alert in Defender Portal?

 

BR

Stephan

502 Views
1 Like
6 Replies
Reply
6 Replies
best response confirmed by StephanGee (Steel Contributor)
DylanInfosec

‎Apr 26 2024 10:49 AM

‎Apr 26 2024 10:49 AM

Solution

Re: Entra ID protection - Integration into Defender XDR

Hi @StephanGee,

If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution 


Best,

Dylan

1 Like
Reply
StephanGee

‎Apr 26 2024 10:53 AM

‎Apr 26 2024 10:53 AM

Re: Entra ID protection - Integration into Defender XDR

Thanks Dylan. At this moment we only use the "free" sources for Sentinel. But if only the "alerts" will come in - the costs won't be high. I will enable it - thank you for pointing that out.
1 Like
Reply
JesperRaarup

‎May 06 2024 02:29 PM - edited ‎May 06 2024 02:31 PM

‎May 06 2024 02:29 PM - edited ‎May 06 2024 02:31 PM

Re: Entra ID protection - Integration into Defender XDR

Hi @StephanGee 

 

I just wanted to add, that there is no need for the sentinel integration to get this into your Defender portal.

 

The detection source is already there, it is shown as "AAD Identity Protection" which can be found with the filter under alerts and incidents.

 

JesperRaarup_0-1715030674973.png

 

1 Like
Reply
StephanGee

‎May 06 2024 10:29 PM

‎May 06 2024 10:29 PM

Re: Entra ID protection - Integration into Defender XDR

Yes that is what i would expect but the last "risky signins" did not show up @ Defender XDR
1 Like
Reply
JesperRaarup

‎May 07 2024 02:59 PM

‎May 07 2024 02:59 PM

Re: Entra ID protection - Integration into Defender XDR

@StephanGee 

 

Hi, 

 

Yes - well, the risky signins has to be tied to a direct incident or alert. a risky signin is often times remediated by a policy, which I would assume that you use.

 

I can find our risky sign ins if I dig into it, but it's shown like "unfamiliar signin properties" or whatever it was detected as, not as either risky user or risky sign in as that is not really that important to the incident or alert it self. 

 

Just always have to consider if it is really worth it to have it in the XDR portal or not, because "noise" would just contaminate the environment without any real gain from it. 

0 Likes
Reply
StephanGee

‎May 10 2024 06:33 AM

‎May 10 2024 06:33 AM

Re: Entra ID protection - Integration into Defender XDR

Thanks Jesper.
I also investigated a while back - but it does not happen for us.
We have an "ongoing" risky user - 5/4/2024 and when i open the user at XDR i get 0 icident/alert for this user. We want to use one portal for all incidents (as this was XDR was built for ;) )
We block users at medium/high risk and it is our task to investigate and then release the user or force password reset/revoke sessions. So in this case it would be no noise :)
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by StephanGee (Steel Contributor)
DylanInfosec

‎Apr 26 2024 10:49 AM

‎Apr 26 2024 10:49 AM

Solution

Re: Entra ID protection - Integration into Defender XDR

Hi @StephanGee,

If you’re utilizing Microsoft Sentinel and the XDR Unified security operations portal it looks like there’s an Entra ID Protection data connector (solution) for Sentinel which could bring that data into your XDR dashboard: Entra ID Protection - Sentinel Community Hub Solution 


Best,

Dylan

View solution in original post

1 Like
Reply