Jan 09 2020
- last edited on
Jan 14 2022
I cannot find the Risky user events "User at risk detected" on Azure Activity Logs, Sign-in Logs or Audit Logs.
Are these events being logged somewhere?
I'm looking for a way to export or stream this type of events to EventHub so I can then pull or ingest the events into a 3rd Party SIEM solution (i.e. SPlunk, QRadar)
Thank you for your help!
Jan 09 2020 08:17 AM
You can use the Graph API endpoints as detailed here: https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta
Jan 14 2020 03:03 AM
Thank you @Vasil Michev , this is great to query Risky user data but I still cannot see away to Stream these events to EventHub when they occurs like for example is possible to Activity Logs or Sign-in logs.
Jun 29 2020 02:51 AM
I also would like to bring up this topic.
After some research I found out how to stream AAD Audit logs to an Event Hub and eventually import these to a SIEM.
However I can not find a way to stream Sign In and User Risk Events to an EventHub.
Anybody already done this?
Sep 18 2020 03:23 AM
@Franck Marteaux @Manuel_DEste
You should be able to do this with the Azure Logic Apps. In a nutshell, you need:
- Use Azure Logic App to query the Identity Protection APIs
- Parse the data if/when needed
- Send the data to the Event Hub. You can verify the data flow with the Event Hub capture feature that is very useful in troubleshooting scenarios.
Tested this scenario today and now IPC events are found from Event Hub. From there you can establish integration with the QRadar / Splunk. In the attached picture there is Event Hub capture file converted from avro to json.