At the end of the day, more data is always useful, even if users will trigger multiple alerts if you are licensed for both systems. So we get some realtime alerts and some offline alerts from a number of sources. | summarize count()by RiskEventType, Source You can see here some of the overlap, you get unlikelyTravel and mcasImpossibleTravel, you can also have a look at where the data is coming from. Keep in mind this data will only start populating once you enable it, any risk events prior to that won’t be resent to Azure Sentinel. If you want to visualize the type of risk events in your environment you can do so. Also having the data in Sentinel means you can query it against other log sources more unique to your environment. This is a really welcome addition because there has always been an overlap with where detections are found, Azure AD Identity Protection will find some stuff, Microsoft Cloud App Security will find its own things, there is some crossover, and you may not be licensed for everything. AADRiskyUsers – this is the data from the Risky Users blade in Azure AD Identity Protection but streamed as log data, so will include when users are remediated.AADUserRiskEvents – this is the data that you would see in Azure AD Identity Protection if you went and viewed the risk detections, or risky sign-in reports. You can add the data in the Azure AD -> Diagnostic Settings page, and once enabled you will see data stream into two new tables Microsoft recently added the ability to stream risk events from Azure AD Identity Protection into Azure Sentinel, check out the guidance here.
0 Comments
Leave a Reply. |