{"id":3710,"date":"2021-09-21T21:13:39","date_gmt":"2021-09-21T19:13:39","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=3710"},"modified":"2023-07-27T23:21:56","modified_gmt":"2023-07-27T21:21:56","slug":"stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/","title":{"rendered":"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics"},"content":{"rendered":"<p><strong>Microsoft recently added a new function that gives the option for stream events from Azure AD Identity Protection into Microsoft Sentinel. In this blog the instruction for export user risk events from Azure AD Identity protection into Microsoft Sentinel.&nbsp;<\/strong><\/p>\n<h2>Identity Protection &#8211; Risk data<\/h2>\n<p>Risk data is part of Azure AD Identity protection and stores the data with some small retention period. With the new stream option &#8211;&nbsp; it is possible to extend the default retention period and create use-cases based on more data.<\/p>\n<p>Azure AD stores reports and security signals for a defined period. Below is the table with the max retention period for AzureAD free, AADP1, and AADP2 for each of the signals. With AADP2 the max retention period is 30 days for the audit logs, sign-ins, risky sign-ins, and AzureAD MFA usage.<\/p>\n<table class=\"table\">\n<thead>\n<tr>\n<th>Report \/ Signal<\/th>\n<th>Azure AD Free<\/th>\n<th>Azure AD Premium P1<\/th>\n<th>Azure AD Premium P2<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Audit logs<\/td>\n<td>7 days<\/td>\n<td>30 days<\/td>\n<td>30 days<\/td>\n<\/tr>\n<tr>\n<td>Sign-ins<\/td>\n<td>7 days<\/td>\n<td>30 days<\/td>\n<td>30 days<\/td>\n<\/tr>\n<tr>\n<td>Azure AD MFA usage<\/td>\n<td>30 days<\/td>\n<td>30 days<\/td>\n<td>30 days<\/td>\n<\/tr>\n<tr>\n<td>Risky sign-ins<\/td>\n<td>7 days<\/td>\n<td>30 days<\/td>\n<td>90 days<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>For several years Azure AD Identity Protection is available with the Azure AD P2 license. Azure AD Identity Protection gives the following key tasks for organizations:<\/p>\n<ul>\n<li>Automate detection and remediation for identity risk events<\/li>\n<li>Investigate risk<\/li>\n<li>Protect users automatically based on risk<\/li>\n<\/ul>\n<p>Identity Protection uses the threat intelligence information from AzureAD and all the threat intelligence information from customers worldwide. Based on the analyzed events Microsoft protects users from threats.<\/p>\n<p>Two main risk detection components are part of the Azure AD Identity Protection solution:<\/p>\n<ul>\n<li>Sign-in risk<\/li>\n<li>User-risk<\/li>\n<\/ul>\n<p>More technical Azure AD Identity Protection information in this blog: <a href=\"https:\/\/jeffreyappel.nl\/azure-ad-identity-protection-user-risk-and-sign-in-risk-protection-with-automation\/\">Azure AD Identity Protection: User Risk and Sign-in Risk protection with automation<\/a><\/p>\n<hr>\n<h2>Stream events with Diagnostic settings<\/h2>\n<p>From the Diagnostic settings panel, it is possible to stream risk events from Azure AD Identity protection into Microsoft Sentinel\/ Log Analytics based on two new tables. After the enablement the following tables will be created:<\/p>\n<ul>\n<li>AADUserRiskEvents<\/li>\n<li>AADRiskyUsers<\/li>\n<\/ul>\n<h3>Enable the event streaming<\/h3>\n<p>For sending the <strong>RiskyUser<\/strong> and <strong>UserRiskEvents<\/strong> data to a Log Analytics workspace, storage account or Event hub go to the Azure Active Directory diagnostic setting:&nbsp;<\/p>\n<p><strong>Azure portal<\/strong>&nbsp;&gt;&nbsp;<strong>Azure Active Directory<\/strong>,&nbsp;<strong>Diagnostic settings<\/strong><\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-3711\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4.png\" alt=\"\" width=\"2636\" height=\"908\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4.png 2636w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-300x103.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-1024x353.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-768x265.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-1536x529.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-2048x705.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-585x202.png 585w\" sizes=\"(max-width: 2636px) 100vw, 2636px\" \/><\/p>\n<p>For the event destination 4 options are available:<\/p>\n<ul>\n<li>Send to Log Analytics workspace<\/li>\n<li>Archive to a storage account<\/li>\n<li>Stream to an event hub<\/li>\n<li>Send to partner solution<\/li>\n<\/ul>\n<p>For adding the new diagnostic settings source click on <strong>Add diagnostic settings<\/strong><\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-3711\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4.png\" alt=\"\" width=\"2636\" height=\"908\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4.png 2636w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-300x103.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-1024x353.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-768x265.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-1536x529.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-2048x705.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-4-585x202.png 585w\" sizes=\"(max-width: 2636px) 100vw, 2636px\" \/><\/p>\n<p>The next step is to fill in the diagnostic settings name and select the category details and destination details. First the category details:<\/p>\n<p><strong>Log category details<\/strong><\/p>\n<p>With this blog, we focussing only on the risk events from Identity Protection. For streaming the Identity Protection data select <strong>RiskyUsers&nbsp;<\/strong>and&nbsp;<strong>UserRiskEvents.&nbsp;<\/strong><\/p>\n<p><strong>Destination details<\/strong><\/p>\n<p>For exporting events into Microsoft Sentinel. We using in this blog the export option <em>Send to Log Analytics workspace.&nbsp;<\/em>For sending events into the Microsoft Sentinel workspace &#8211; select the <strong>subscription<\/strong> and <strong>workspace<\/strong>.<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-3712\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-5.png\" alt=\"\" width=\"1845\" height=\"1258\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-5.png 1845w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-5-300x205.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-5-1024x698.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-5-768x524.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-5-1536x1047.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-5-585x399.png 585w\" sizes=\"(max-width: 1845px) 100vw, 1845px\" \/><\/p>\n<p>Once enabled two new data tables are available in the Log Analytics workspace. Based on the <span style=\"text-decoration: underline;\">RiskyUsers<\/span> and <span style=\"text-decoration: underline;\">UserRiskEvents<\/span> log the following tables are available:<\/p>\n<ul>\n<li>AADRiskyUsers &#8211; Provides data like the&nbsp;<strong>Risky users<\/strong> report in Identity Protection<\/li>\n<li>AADUserRiskEvents &#8211; Provides data like the&nbsp;<strong>Risk detections<\/strong> report in Identity Protection<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-3714\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6.png\" alt=\"\" width=\"2188\" height=\"1199\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6.png 2188w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6-300x164.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6-1024x561.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6-768x421.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6-1536x842.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6-2048x1122.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/MCAS-6-585x321.png 585w\" sizes=\"(max-width: 2188px) 100vw, 2188px\" \/><\/p>\n<hr>\n<h2>Investigate data with KQL<\/h2>\n<p>Based on the data flow KQL can be used for more in-depth investigation and for matching data against other log sources. ( example the AzureAD sign-in information)<\/p>\n<h3><strong>&nbsp;AADUserRiskEvents<\/strong><\/h3>\n<p>AADUserRiskEvents contains the risk user events from Identity Protection and Microsoft Cloud App Security. Interesting to view quite easily the detection logic from Identity Protection. With the DetectionTimingType the real-time or offline attribute is visible. See the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/reference\/tables\/aaduserriskevents\">Microsoft docs for the table reference<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3747\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33.png\" alt=\"\" width=\"3057\" height=\"1557\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33.png 3057w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33-300x153.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33-1024x522.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33-768x391.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33-1536x782.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33-2048x1043.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-44-33-585x298.png 585w\" sizes=\"(max-width: 3057px) 100vw, 3057px\" \/><\/p>\n<p>Information like RiskDetail, RiskEventType, RiskLevel, RiskState DetectionTimeType, TokenIssuerType, and source is available from the AADUserRiskEvents table.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3748\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53.png\" alt=\"\" width=\"2596\" height=\"1198\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53.png 2596w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53-300x138.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53-1024x473.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53-768x354.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53-1536x709.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53-2048x945.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-47-53-585x270.png 585w\" sizes=\"(max-width: 2596px) 100vw, 2596px\" \/><\/p>\n<p><strong>RiskDetail with the value aiConfirmedSigninSafe<\/strong> is interesting. This is basically Microsoft flagging the risk event as safe based on the AI and Identity protection events. The exact reason why it is safe is not available. It seems some combination of user events, IP Address history, location, and common sign-ins from other users.<\/p>\n<p><strong>DetectionTimingTypes:&nbsp;<\/strong>Sign-in risk can be calculated in real-time or calculated offline using Microsoft&#8217;s Internal and internal threat intelligence feeds. With the field; DetectionTimingTypes the calculation real-time\/ offline is visible. For some examples of TimingTypes: <a href=\"https:\/\/jeffreyappel.nl\/azure-ad-identity-protection-user-risk-and-sign-in-risk-protection-with-automation\/\">Read my other AAD Identity Protection blog<\/a>.<\/p>\n<p>With the <strong>RiskEventType<\/strong> you can track the specific type for the risk. <strong>Location<\/strong> contains the specific location details with specific geoCoordinates.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3749\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-51-33.png\" alt=\"\" width=\"1925\" height=\"281\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-51-33.png 1925w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-51-33-300x44.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-51-33-1024x149.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-51-33-768x112.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-51-33-1536x224.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-51-33-585x85.png 585w\" sizes=\"(max-width: 1925px) 100vw, 1925px\" \/><\/p>\n<p>With the KQL query:<\/p>\n\n\n<pre class=\"wp-block-code\"><code>AADUserRiskEvents\n| summarize count()by RiskEventType\n| render piechart<\/code><\/pre>\n\n\n<p>You can visualize the data based on RiskEventType.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3750\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16.png\" alt=\"\" width=\"2895\" height=\"1545\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16.png 2895w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-300x160.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-1024x546.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-768x410.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-1536x820.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-2048x1093.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-585x312.png 585w\" sizes=\"(max-width: 2895px) 100vw, 2895px\" \/><\/p>\n<h3><strong>AADRiskyUsers<\/strong><\/h3>\n<p>AADRiskyUsers table shows the state of a user and how their risk has changed. You can combine &nbsp;AADUserRiskEvents and AADRiskyUsers to view the changing pattern.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3745\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30.png\" alt=\"\" width=\"2430\" height=\"721\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30.png 2430w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30-300x89.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30-1024x304.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30-768x228.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30-1536x456.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30-2048x608.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-34-30-585x174.png 585w\" sizes=\"(max-width: 2430px) 100vw, 2430px\" \/><\/p>\n<p>Information available:<\/p>\n<ul>\n<li>IsDeleted<\/li>\n<li>IsProcessing<\/li>\n<li>RiskDetails<\/li>\n<li>RiskLastUpdateDateTIme<\/li>\n<li>RiskLevel<\/li>\n<li>RiskState<\/li>\n<li>UserDIsplayName<\/li>\n<li>UserPrincipalName<\/li>\n<li>OperationName<\/li>\n<li>Type<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3746\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35.png\" alt=\"\" width=\"3080\" height=\"955\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35.png 3080w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35-300x93.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35-1024x318.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35-768x238.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35-1536x476.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35-2048x635.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_21-39-35-585x181.png 585w\" sizes=\"(max-width: 3080px) 100vw, 3080px\" \/><\/p>\n<p>Tip: For more KQL examples with the new risk events &#8211; view the blog; <a href=\"https:\/\/learnsentinel.blog\/2021\/08\/05\/streaming-azure-ad-risk-events-to-azure-sentinel\/\">learnsentinel.blog<\/a><\/p>\n<hr>\n<h2>Conclusion<\/h2>\n<p>In this blog, I have covered how you can collect Azure AD Risk Events from Identity Protection and stream them directly to Microsoft Sentinel\/ Log Analytics.<\/p>\n<p>With the new data tables, multiple use cases are possible for filtering the real-time risk and available attributes.&nbsp;&nbsp;<\/p>\n<hr>\n<h2>Sources<\/h2>\n<p id=\"how-to-export-risk-data\"><a href=\"https:\/\/docs.microsoft.com\/en-gb\/azure\/active-directory\/identity-protection\/howto-export-risk-data\">Microsoft: How To: Export risk data<\/a><\/p>\n<p><a href=\"https:\/\/learnsentinel.blog\/2021\/08\/05\/streaming-azure-ad-risk-events-to-azure-sentinel\/\">Learnsentinel.blog: Streaming Azure AD risk events to Azure Sentinel<\/a><\/p>\n<p>&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>Microsoft recently added a new function that gives the option for stream events from Azure AD Identity Protection into Microsoft Sentinel. In this blog the instruction for export user risk events from Azure AD Identity protection into Microsoft Sentinel.&nbsp; Identity&#8230;<\/p>\n","protected":false},"author":1,"featured_media":3781,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[189],"tags":[223,208],"table_tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics\" \/>\n<meta property=\"og:description\" content=\"Microsoft recently added a new function that gives the option for stream events from Azure AD Identity Protection into Microsoft Sentinel. In this blog the instruction for export user risk events from Azure AD Identity protection into Microsoft Sentinel.&nbsp; Identity...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/\" \/>\n<meta property=\"og:site_name\" content=\"Jeffrey Appel - Microsoft Security blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-21T19:13:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-27T21:21:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1013\" \/>\n\t<meta property=\"og:image:height\" content=\"452\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jeffrey\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffrey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/\",\"url\":\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/\",\"name\":\"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics\",\"isPartOf\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png\",\"datePublished\":\"2021-09-21T19:13:39+00:00\",\"dateModified\":\"2023-07-27T21:21:56+00:00\",\"author\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\"},\"breadcrumb\":{\"@id\":\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#primaryimage\",\"url\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png\",\"contentUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png\",\"width\":1013,\"height\":452},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jeffreyappel.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jeffreyappel.nl\/#website\",\"url\":\"https:\/\/jeffreyappel.nl\/\",\"name\":\"Jeffrey Appel - Microsoft Security blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jeffreyappel.nl\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\",\"name\":\"Jeffrey\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"caption\":\"Jeffrey\"},\"url\":\"https:\/\/jeffreyappel.nl\/author\/contact\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/","og_locale":"en_US","og_type":"article","og_title":"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics","og_description":"Microsoft recently added a new function that gives the option for stream events from Azure AD Identity Protection into Microsoft Sentinel. In this blog the instruction for export user risk events from Azure AD Identity protection into Microsoft Sentinel.&nbsp; Identity...","og_url":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/","og_site_name":"Jeffrey Appel - Microsoft Security blog","article_published_time":"2021-09-21T19:13:39+00:00","article_modified_time":"2023-07-27T21:21:56+00:00","og_image":[{"width":1013,"height":452,"url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png","type":"image\/png"}],"author":"Jeffrey","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jeffrey","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/","url":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/","name":"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics","isPartOf":{"@id":"https:\/\/jeffreyappel.nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#primaryimage"},"image":{"@id":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#primaryimage"},"thumbnailUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png","datePublished":"2021-09-21T19:13:39+00:00","dateModified":"2023-07-27T21:21:56+00:00","author":{"@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42"},"breadcrumb":{"@id":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#primaryimage","url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png","contentUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/09\/2021-09-16_22-01-16-12-e1632251854911.png","width":1013,"height":452},{"@type":"BreadcrumbList","@id":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jeffreyappel.nl\/"},{"@type":"ListItem","position":2,"name":"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics"}]},{"@type":"WebSite","@id":"https:\/\/jeffreyappel.nl\/#website","url":"https:\/\/jeffreyappel.nl\/","name":"Jeffrey Appel - Microsoft Security blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jeffreyappel.nl\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42","name":"Jeffrey","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","caption":"Jeffrey"},"url":"https:\/\/jeffreyappel.nl\/author\/contact\/"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/3710"}],"collection":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/comments?post=3710"}],"version-history":[{"count":4,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/3710\/revisions"}],"predecessor-version":[{"id":7300,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/3710\/revisions\/7300"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media\/3781"}],"wp:attachment":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media?parent=3710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/categories?post=3710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/tags?post=3710"},{"taxonomy":"table_tags","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/table_tags?post=3710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}