AAD Connector Configuration

%3CLINGO-SUB%20id%3D%22lingo-sub-2583330%22%20slang%3D%22en-US%22%3EAAD%20Connector%20Configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2583330%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20configure%20the%20AAD%20logs%20in%20Sentinel%2C%20there%20are%207%20options%2C%20however%2C%20in%20the%20Diagnostic%20settings%20in%20AAD%2C%20there%20are%209%20options.%20I%20am%20assuming%20that%20the%20AAD%20Identity%20Protection%20connector%20covers%20the%20other%202%20options%20(RIsky%20Users%20ad%20User%20Risk%20Events)%20can%20anyone%20confirm%20my%20assumption%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DeanGross_0-1627156192081.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F298185iF953A92AB54F7B05%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22DeanGross_0-1627156192081.png%22%20alt%3D%22DeanGross_0-1627156192081.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DeanGross_1-1627156399839.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F298187i9EE02BD505B0D80A%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22DeanGross_1-1627156399839.png%22%20alt%3D%22DeanGross_1-1627156399839.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2583680%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Connector%20Configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2583680%22%20slang%3D%22en-US%22%3EThey%20recently%20added%20to%20public%20preview%20risky%20user%20logs%20and%20risk%20detection%20logs%20to%20be%20able%20to%20be%20sent%20to%20Sentinel%20(or%20Azure%20Monitor)%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-integrate-activity-logs-with-log-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-integrate-activity-logs-with-log-analytics%3C%2FA%3E%26nbsp%3B(under%20support%20reports).%20A%20lot%20of%20the%20guidance%20hasn't%20been%20updated%20yet%20to%20reflect%20it%20from%20what%20I%20can%20see%20though.%20Previously%20you%20could%20see%20this%20report%20in%20the%20portal%20but%20not%20send%20the%20data%20anywhere%20I%20don't%20think.%3CBR%20%2F%3E%3CBR%20%2F%3EAAD%20identity%20protection%20is%20just%20the%20actual%20alerts%20that%20fire%20(and%20get%20sent%20to%20the%20SecurityAlert%20table).%20I%20imagine%20the%20data%20from%20RiskyUsers%20and%20UserRiskEvents%20is%20a%20large%20part%20of%20what%20triggers%20AAD%20IP%20alerts%20though.%3C%2FLINGO-BODY%3E
Respected Contributor

When we configure the AAD logs in Sentinel, there are 7 options, however, in the Diagnostic settings in AAD, there are 9 options. I am assuming that the AAD Identity Protection connector covers the other 2 options (RIsky Users ad User Risk Events) can anyone confirm my assumption?

DeanGross_0-1627156192081.png

 

DeanGross_1-1627156399839.png

 

 

1 Reply
They recently added to public preview risky user logs and risk detection logs to be able to be sent to Sentinel (or Azure Monitor) - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-... (under support reports). A lot of the guidance hasn't been updated yet to reflect it from what I can see though. Previously you could see this report in the portal but not send the data anywhere I don't think.

AAD identity protection is just the actual alerts that fire (and get sent to the SecurityAlert table). I imagine the data from RiskyUsers and UserRiskEvents is a large part of what triggers AAD IP alerts though.