Export Active directory Identity protection Risky user events to EventHub/ SIEM

Question

Dear community,I cannot find the Risky user events "User at risk detected" on Azure Activity Logs, Sign-in Logs or Audit Logs.&nbsp;Are these events being logged somewhere?&nbsp;I'm looking for a way to export or stream this type of events to EventHub so I can then pull or ingest the events into a 3rd Party SIEM solution (i.e. SPlunk, QRadar)&nbsp;Thank you for your help!

samilamppu · Answer

Franck1304&nbsp;@Manuel_DEsteYou should be able to do this with the Azure Logic Apps. In a nutshell, you need:- Use Azure Logic App to query the Identity Protection APIs- Parse the data if/when needed- Send the data to the Event Hub. You can verify the data flow with the Event Hub capture feature that is very useful in troubleshooting scenarios.&nbsp;Tested this scenario today and now IPC events are found from Event Hub. From there you can establish integration with the QRadar / Splunk. In the attached picture there is Event Hub capture file converted from avro to json.

vasilmichev · Answer

You can use the Graph API endpoints as detailed here:&nbsp;https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta

manuel_deste · Answer

Thank you&nbsp;VasilMichev&nbsp;, this is great to query Risky user data but I still cannot see away to Stream these events to EventHub when they occurs like for example is possible to Activity Logs or Sign-in logs.&nbsp;

franck1304 · Answer

I also would like to bring up this topic.

After some research I found out how to stream AAD Audit logs to an Event Hub and eventually import these to a SIEM.

However I can not find a way to stream Sign In and User Risk Events to an EventHub.

Anybody already done this?

Thanks,
Franck

Forum Discussion

Export Active directory Identity protection Risky user events to EventHub/ SIEM

Share

Resources