Microsoft Entra ID Protection

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These risks can be fed into SIEM (InsightIDR) for further investigation and correlation.

To set up Microsoft Entra ID Protection:

• Read the requirements and complete any prerequisite steps.
• Configure Microsoft Entra ID Protection to send data to SIEM (InsightIDR).
• Configure SIEM (InsightIDR) to collect data from the event source.
• Test the configuration.

You can also:

• Review sample logs

Requirements

Before you start the configuration, ensure the following prerequisites are met:

• You have an active Azure subscription.
• The Azure account has at least the Application Developer role assigned. See Microsoft’s documentation for more information on Microsoft Entra built-in roles .
• You have access to a Microsoft Entra ID tenant. You can use your Default Directory or set up an external tenant.

Configure Microsoft Entra ID Protection to send data to SIEM (InsightIDR)

To send data to SIEM (InsightIDR), you must register SIEM (InsightIDR) in Entra ID. This establishes a trust relationship between SIEM (InsightIDR) and the Microsoft identity platform. By completing these steps, you enable identity and access management (IAM) for your app, allowing it to securely interact with Microsoft services and APIs.

Task 1: Register SIEM (InsightIDR) as an application in Entra ID

Follow Microsoft’s documentation to register an application  for SIEM (InsightIDR) in Entra ID.

• When the application has been registered, securely record the Client (application) ID and Tenant (directory) ID from the App Registration overview. You will need these values to configure SIEM (InsightIDR) to collect data from the event source.

Task 2: Create and record the client secret

Follow Microsoft’s documentation to create a client secret  for the application you registered in Task 1. Once the client secret is created, securely record the client secret value. You will need this value to configure SIEM (InsightIDR) to collect data from the event source.

• You are only able to view and copy the client secret value immediately after creating the client secret. If you log out or leave this page, you will not be able to copy the client secret value and will need to create another one.
• When the secret expires, you are required to reconfigure the event source.

Task 3: Configure the application permissions

Follow Microsoft’s documentation to apply permissions  to the application you registered in Task 1.

• Apply the following required application permissions (not delegation permissions):
  • IdentityRiskEvent.Read.All
  • IdentityRiskyUser.Read.All
  • SignInIdentifier.Read.All
  • IdentityRiskyServicePrincipal.Read.All
  • AuditLog.Read.All
• Ensure you grant admin consent  for your organization once you have applied the required permissions.

Configure SIEM (InsightIDR) to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Microsoft Entra ID Protection

This task differs depending on which version of Microsoft Entra ID Protection you need to set up (Microsoft Entra ID Protection, Microsoft Entra ID Protection GCC, or Microsoft Entra ID Protection GCC High).

Task 2: Set up your collection method

You can collect data from Entra ID through a cloud connection.

1. Name the event source.
2. In Connectivity Details, click Add a New Connection.
3. In the Create a Cloud Connection screen, enter a name for the new connection.
4. In Tenant ID and Client ID, enter the details you recorded from the Overview page in the previous section, Configure Entra ID Protection to send data to SIEM (InsightIDR).
5. In the Select Credential field, add a new credential:
   • Name your credential.
   • Describe your credential.
   • Select the credential type.
   • Enter the Client Secret that you obtained in the previous section, Configure Entra ID Protection to send data to SIEM (InsightIDR).
   • Select whether the current product or all Rapid7 products should be able to use this credential.
6. Click Save & Test Connection.
7. Optionally, select the option to send unparsed data.
8. Select your Account Attribution preference:
   • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
   • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
9. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
10. Click Save.

Test the configuration

To test that event data is flowing into SIEM (InsightIDR):

1. From the Data Collection Management page, open the Event Sources tab.
2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.

Sample logs

The Entra ID event source retrieves user and user group data. The Entra ID Protection event source adds Identity Protection context by collecting logs for:

• Risky users – Users flagged as risky by Identity Protection
• Risky service principals – Service principals flagged as risky
• Risk detections – Individual risk detection events (for example, anonymous IP or leaked credentials)
• Risky sign-ins – Sign-in events flagged as risky

Risky user example

{
"@odata.type": "#microsoft.graph.riskyUser",
"id": "d1d4a5d4-a5d4-d1d4-d4a5-d4d1d4a5d4d1",
"isDeleted": false,
"isProcessing": false,
"riskLastUpdatedDateTime": "2024-03-04T09:45:32Z",
"riskLevel": "high",
"riskState": "atRisk",
"riskDetail": "none",
"userDisplayName": "Alice Johnson",
"userPrincipalName": "alice.johnson@contoso.com"
}

Risk detection examples

Example 1: Unfamiliar features detection

{
"@odata.type": "#microsoft.graph.riskDetection",
"id": "6a5874ca-abcd-9d82-5ad39bd71600",
"requestId": "6a5874ca-abcd-9d82-5ad39bd71600",
"correlationId": "abcd74ca-9823-4b1c-9d82-5ad39bd71600",
"riskEventType": "unfamiliarFeatures",
"riskState": "remediated",
"riskLevel": "medium",
"riskDetail": "userPerformedSecuredPasswordReset",
"source": "activeDirectory",
"detectionTimingType": "realtime",
"activity": "signin",
"tokenIssuerType": "Azure Active Directory",
"ipAddress": "198.51.100.89",
"location": {
"city": "Seattle",
"state": "Washington",
"countryOrRegion": "US",
"geoCoordinates": null
},
"activityDateTime": "2024-03-05T00:09:18.782Z",
"detectedDateTime": "2024-03-05T00:11:27.773Z",
"lastUpdatedDateTime": "2024-03-05T00:11:27.773Z",
"userId": "abcdefab-af90-4edf-ac4c-742ff06735d0",
"userDisplayName": "Olivia Lack",
"userPrincipalName": "olack@contoso.com",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36\"}]"
}

Example 2: Anonymous IP address detection

{
"@odata.type": "#microsoft.graph.riskDetection",
"id": "2b7f9e4a-1c3d-5e6f-8a9b-0c1d2e3f4a5b",
"requestId": "4f8a3b2c-7d1e-6f5a-9b8c-2e3d4f5a6b7c",
"correlationId": "9c8d7e6f-5a4b-3c2d-1e0f-a9b8c7d6e5f4",
"riskEventType": "anonymizedIPAddress",
"riskState": "atRisk",
"riskLevel": "high",
"riskDetail": "none",
"source": "IdentityProtection",
"detectionTimingType": "realtime",
"activity": "signin",
"tokenIssuerType": "Azure Active Directory",
"ipAddress": "203.0.113.156",
"location": {
"city": "Unknown",
"state": null,
"countryOrRegion": "TOR",
"geoCoordinates": null
},
"activityDateTime": "2024-03-04T14:22:45.123Z",
"detectedDateTime": "2024-03-04T14:23:10.456Z",
"lastUpdatedDateTime": "2024-03-04T14:23:10.456Z",
"userId": "7c8d9e0f-1a2b-3c4d-5e6f-a7b8c9d0e1f2",
"userDisplayName": "Bob Martinez",
"userPrincipalName": "bob.martinez@contoso.com",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36\"}]"
}

Risky sign-in examples

Example 1: High-risk interactive sign-in

{
"id": "4a5b6c7d-8e9f-0a1b-2c3d-4e5f6a7b8c9d",
"createdDateTime": "2024-03-04T10:15:22Z",
"userDisplayName": "David Brown",
"userPrincipalName": "david.brown@contoso.com",
"userId": "1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
"appId": "00000002-0000-0ff1-ce00-000000000000",
"appDisplayName": "Microsoft Office 365 Portal",
"ipAddress": "198.51.100.123",
"clientAppUsed": "Browser",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"correlationId": "8d9e0f1a-2b3c-4d5e-6f7a-8b9c0d1e2f3a",
"conditionalAccessStatus": "success",
"isInteractive": true,
"riskDetail": "none",
"riskLevelAggregated": "high",
"riskLevelDuringSignIn": "high",
"riskState": "atRisk",
"riskEventTypes": [
"anonymizedIPAddress",
"unfamiliarFeatures"
],
"riskEventTypes_v2": [
"anonymizedIPAddress",
"unfamiliarFeatures"
],
"resourceDisplayName": "Office 365 SharePoint Online",
"resourceId": "00000003-0000-0ff1-ce00-000000000000",
"status": {
"errorCode": 0,
"failureReason": null,
"additionalDetails": null
},
"deviceDetail": {
"deviceId": "",
"displayName": null,
"operatingSystem": "Windows 10",
"browser": "Chrome 118.0.0",
"isCompliant": false,
"isManaged": false,
"trustType": ""
},
"location": {
"city": "Redmond",
"state": "Washington",
"countryOrRegion": "US",
"geoCoordinates": {
"latitude": 47.6740,
"longitude": -122.1215
}
},
"authenticationProcessingDetails": [],
"networkLocationDetails": [],
"processingTimeInMilliseconds": 450
}

Example 2: Medium-risk non-interactive sign-in

{
"id": "7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b",
"createdDateTime": "2024-03-04T11:42:18Z",
"userDisplayName": "Emma Davis",
"userPrincipalName": "emma.davis@contoso.com",
"userId": "9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f",
"appId": "00000003-0000-0000-c000-000000000000",
"appDisplayName": "Microsoft Graph",
"ipAddress": "203.0.113.45",
"clientAppUsed": "Mobile Apps and Desktop clients",
"userAgent": "Microsoft Outlook 16.0 (Windows NT 10.0)",
"correlationId": "2f3a4b5c-6d7e-8f9a-0b1c-2d3e4f5a6b7c",
"conditionalAccessStatus": "notApplied",
"isInteractive": false,
"riskDetail": "none",
"riskLevelAggregated": "medium",
"riskLevelDuringSignIn": "medium",
"riskState": "atRisk",
"riskEventTypes": [
"impossibleTravel"
],
"riskEventTypes_v2": [
"impossibleTravel"
],
"resourceDisplayName": "Microsoft Exchange Online",
"resourceId": "00000002-0000-0ff1-ce00-000000000000",
"status": {
"errorCode": 0,
"failureReason": null,
"additionalDetails": "Non-interactive sign-in"
},
"deviceDetail": {
"deviceId": "1f2a3b4c-5d6e-7f8a-9b0c-1d2e3f4a5b6c",
"displayName": "LAPTOP-EMMA123",
"operatingSystem": "Windows 11",
"browser": "unknown",
"isCompliant": true,
"isManaged": true,
"trustType": "Hybrid Azure AD joined"
},
"location": {
"city": "London",
"state": "England",
"countryOrRegion": "GB",
"geoCoordinates": {
"latitude": 51.5074,
"longitude": -0.1278
}
},
"authenticationProcessingDetails": [],
"networkLocationDetails": [],
"processingTimeInMilliseconds": 250
}