Microsoft Entra ID
Entra ID is a cloud-based identity and access management provider that centralizes user identity across your organization. Adding an Entra ID event source allows SIEM (InsightIDR) to ingest user data from Entra ID for user attribution. You only need to configure one Entra ID event source per organization, even if you manage multiple Entra applications.
LDAP as an Event Source for On-Premises Identity Provider
If your organization uses Active Directory for on-premises identity services, you can configure the LDAP event source in SIEM (InsightIDR) to enable user attribution. This integration correlates authentication data with user activity, providing valuable context for detections and investigations across your environment.
To set up Microsoft Entra ID:
- Read the requirements and complete any prerequisite steps.
- Configure Microsoft Entra ID to send data to SIEM (InsightIDR).
- Configure SIEM (InsightIDR) to collect data from the event source.
- Test the configuration.
Visit the third-party vendor's documentation
For the most accurate information about preparing your event source product for integration with SIEM (InsightIDR), we recommend that you visit the third-party vendor’s product documentation.
Requirements
Before you begin:
- An active Azure subscription.
- The Azure account must be at least Application Developer.
- The app must have the permissions Group.Read.All and User.Read.All.
- Access to a Microsoft Entra ID tenant. You can use your Default Directory or set up an external tenant.
Configure Microsoft Entra ID to send data to SIEM (InsightIDR)
To send data to SIEM (InsightIDR), you must register SIEM (InsightIDR) in Entra ID. This establishes a trust relationship between SIEM (InsightIDR) and the Microsoft identity platform. By completing these steps, you enable identity and access management (IAM) for your app, allowing it to securely interact with Microsoft services and APIs.
To create a trust relationship between your SIEM (InsightIDR) and the Microsoft identity platform:
-
Sign in to the Microsoft Entra admin center as a user with Application Developer rights.
-
If you have access to multiple tenants, select the Settings icon in the top menu and switch to the desired tenant.
-
Navigate to Entra ID > App registrations.
-
Select + New registration.
-
Enter a meaningful Name for your application. This can be changed later and will be visible to users.
-
Under Supported account types, select who can use the application: | Option | Description | | ------ | ----------- | |Accounts in this organizational directory only | Single-tenant apps for use within your organization. | | Accounts in any organizational directory | Multi-tenant apps usable by any Microsoft Entra tenant. | | Accounts in any organizational directory and personal Microsoft accounts | Supports both work/school and personal Microsoft accounts. | | Personal Microsoft accounts only | Restricts access to personal Microsoft accounts only. |
-
Click Register.
After registration:
- The Overview page is displayed.
- Record the Tenant ID, Client ID, and Client Secret for use when configuring SIEM (InsightIDR) to collect data from the event source.
New app registrations are hidden from users by default. To make your app visible:
Go to Entra ID > Enterprise applications, select your app, then set Visible to users? to Yes under the Properties page.
Grant admin consent (external tenants only) For external tenants, admin consent is required because users can’t self-consent to permissions:
- From your app registration’s Overview page, go to API permissions.
- Select Grant admin consent for <tenant name>.
- Confirm by selecting Yes.
- Click Refresh and verify that Granted for <tenant name> appears under Status.
Configure SIEM (InsightIDR) to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).
Task 1: Select Microsoft Entra ID
This task differs depending on which version of Microsoft Entra ID you need to set up (Microsoft Entra ID, Microsoft Entra ID GCC, Microsoft Entra ID GCC High, Microsoft Entra ID Protection, Microsoft Entra ID Protection GCC, or Microsoft Entra ID Protection GCC High).
Microsoft Entra ID
To select the Microsoft Entra ID event source:
- Go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Microsoft Entra ID in the event sources search bar.
- In the Product Type filter, select Identity Provider.
- Select the Microsoft Entra ID event source tile.
Microsoft Entra ID GCC
To select the Microsoft Entra ID GCC event source:
- Go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Microsoft Entra ID GCC in the event sources search bar.
- In the Product Type filter, select Identity Provider.
- Select the Microsoft Entra ID GCC event source tile.
Microsoft Entra ID GCC High
To select the Microsoft Entra ID GGC High event source:
- Go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Microsoft Entra ID GCC High in the event sources search bar.
- In the Product Type filter, select Identity Provider.
- Select the Microsoft Entra ID GCC High event source tile.
Task 2: Set up your collection method
You can collect data from Entra ID through a cloud connection.
New credentials are required for cloud event sources
You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.
Use the Cloud Connection method
- Name the event source.
- In Connectivity Details, click Add a New Connection.
- In the Create a Cloud Connection screen, enter a name for the new connection.
- In Tenant ID and Client ID, enter the details you recorded from the Overview page in the previous section, Configure Entra ID to send data to SIEM (InsightIDR).
- In the Select Credential field, add a new credential:
- Name your credential.
- Describe your credential.
- Select the credential type.
- Enter the Client Secret that you obtained in the previous section, Configure Entra ID to send data to SIEM (InsightIDR).
- Select whether the current product or all Rapid7 products should be able to use this credential.
- Click Save & Test Connection.
Test the configuration
To test that event data is flowing into SIEM (InsightIDR):
- From the Data Collection Management page, open the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
Entra ID to SIEM (InsightIDR) status mapping
When the user data is ingested by SIEM (InsightIDR), the following Entra user statuses will map to the corresponding SIEM (InsightIDR) status in User Details in Users and Accounts:
| Entra ID Status | SIEM (InsightIDR) |
|---|---|
Enabled (accountEnabled:true) | Enabled |
Disabled (accountEnabled:false) | Disabled |