Microsoft Entra ID Protection
Microsoft Entra ID Protection is a cloud-based identity security solution that helps you detect, investigate, and remediate identity-based risks in real time. It is a key component of the Microsoft Entra suite, which focuses on securing access to applications and data across cloud and on-premises environments.
This document outlines the steps required to collect and analyse the Microsoft Entra ID Protection alerts in the Sumo Logic platform.
Set up collection
Skip this step if you have already configured the Microsoft Graph Security API Source.
Use the Cloud-to-Cloud Integration for Microsoft Graph Security API to ingest security alerts data from the Microsoft Entra ID Protection to the Sumo Logic platform.
Search alerts
Use the following query to retrieve alerts generated by the Microsoft Entra ID Protection.
_sourcecategory=Labs/MicrosoftGraphSecurity
| json field=_raw "serviceSource" as service_source
| where service_source = "azureAdIdentityProtection"
Analyse alerts
Use the following query to extract detailed insights from the alert data:
_sourceCategory=Labs/MicrosoftGraphSecurity
|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
| where service_source = "azureAdIdentityProtection"
| where severity matches "*" and status matches "*" and classification matches "*"
| if(isNull(category),"-",category) as category
| if(isNull(classification),"-",classification) as classification
| if(isNull(determination),"-",determination) as determination
| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
| tourl (alert_url,alert_id) as alert_id
| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
| fields -_messageTime
| sort by time