{"id":3710,"date":"2021-09-21T21:13:39","date_gmt":"2021-09-21T19:13:39","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=3710"},"modified":"2023-07-27T23:21:56","modified_gmt":"2023-07-27T21:21:56","slug":"stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics\/","title":{"rendered":"Stream Azure AD Identity Protection events to Microsoft Sentinel\/ Log Analytics"},"content":{"rendered":"
Microsoft recently added a new function that gives the option for stream events from Azure AD Identity Protection into Microsoft Sentinel. In this blog the instruction for export user risk events from Azure AD Identity protection into Microsoft Sentinel. <\/strong><\/p>\n Risk data is part of Azure AD Identity protection and stores the data with some small retention period. With the new stream option – it is possible to extend the default retention period and create use-cases based on more data.<\/p>\n Azure AD stores reports and security signals for a defined period. Below is the table with the max retention period for AzureAD free, AADP1, and AADP2 for each of the signals. With AADP2 the max retention period is 30 days for the audit logs, sign-ins, risky sign-ins, and AzureAD MFA usage.<\/p>\nIdentity Protection – Risk data<\/h2>\n