cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AAD Connector Configuration

Dean Gross
Silver Contributor

‎Jul 24 2021 12:53 PM

‎Jul 24 2021 12:53 PM

AAD Connector Configuration

When we configure the AAD logs in Sentinel, there are 7 options, however, in the Diagnostic settings in AAD, there are 9 options. I am assuming that the AAD Identity Protection connector covers the other 2 options (RIsky Users ad User Risk Events) can anyone confirm my assumption?

DeanGross_0-1627156192081.png

 

DeanGross_1-1627156399839.png

 

 

784 Views
0 Likes
1 Reply
Reply
1 Reply
m_zorich

‎Jul 24 2021 05:33 PM

‎Jul 24 2021 05:33 PM

Re: AAD Connector Configuration

They recently added to public preview risky user logs and risk detection logs to be able to be sent to Sentinel (or Azure Monitor) - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-... (under support reports). A lot of the guidance hasn't been updated yet to reflect it from what I can see though. Previously you could see this report in the portal but not send the data anywhere I don't think.

AAD identity protection is just the actual alerts that fire (and get sent to the SecurityAlert table). I imagine the data from RiskyUsers and UserRiskEvents is a large part of what triggers AAD IP alerts though.
1 Like
Reply