Skip to main content

Microsoft Defender for Identity

Thumbnail icon

Microsoft Defender for Identity is a cloud-based security solution that help you secure your identity monitoring across your organization. It helps deliver a modern identity threat detection (ITDR) solution across hybrid environments, including:

  • Prevent breaches, using proactive identity security posture assessments.
  • Detect threats, using real-time analytics and data intelligence.
  • Investigate suspicious activities, using clear, actionable incident information.
  • Respond to attacks, using automatic response to compromised identities.

This document outlines the steps required to collect and analyse the Microsoft Defender for Identity alerts in the Sumo Logic platform.

Set up collection

note

Skip this step if you have already configured the Microsoft Graph Security API Source.

Use the Cloud-to-Cloud Integration for Microsoft Graph Security API to ingest security alerts data from the Microsoft Defender for Identity to the Sumo Logic platform.

Search alerts

Use the following query to retrieve alerts generated by the Microsoft Defender for Identity.

_sourcecategory=Labs/MicrosoftGraphSecurity
| json field=_raw "serviceSource" as service_source
| where service_source = "microsoftDefenderForIdentity"

Analyse alerts

Use the following query to extract detailed insights from the alert data:

_sourceCategory=Labs/MicrosoftGraphSecurity  
|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
| where service_source = "microsoftDefenderForIdentity"
| where severity matches "*" and status matches "*" and classification matches "*" 
| if(isNull(category),"-",category) as category
| if(isNull(classification),"-",classification) as classification
| if(isNull(determination),"-",determination) as determination
| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
| tourl (alert_url,alert_id) as alert_id
| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
| fields -_messageTime    
| sort by time
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.