Microsoft Entra Risk Detection Integration Guide🔗
The following instructions are for configuring an integration of Microsoft Entra Risk Detection logs to facilitate ingestion into Secureworks® Taegis™ XDR. For more information, see Entra Identity Protection Risk Detection Overview.
Important
This integration requires a Microsoft Entra premium license.
XDR supports two integration paths for Entra logs:
- (Preferred) Integrate via Azure Event Hubs — This option is preferred due to it providing the fastest and highest throughput of data, however it may incur additional costs to enable.
- Integrate via Microsoft Graph API (REST) — This option provides equivalent data to event hubs, but due to the polling nature of a REST-based API in addition to Microsoft rate-limiting, there may be limitations with how quickly data can be collected. See Office 365 and Azure Data Availability for information on our polling practices.
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| MS Azure Active Directory Identity Protection | CloudAudit, Thirdparty |
Start Event Hubs Integration🔗
To integrate via event hubs, follow the integration instructions for Entra with an event hub.
Start Microsoft Graph API Integration🔗
Entra Identity Protection — Risk Detections🔗
-
From the Taegis Menu, select Integrations → Cloud APIs.
-
Select Add an Integration from the top of the page.
Add an Integration -
From the Optimized tab, choose Office 365/Azure.
- In the Azure Active Directory Identity Protection - Risk Detection box, select Authorize.
- You will be redirected to Microsoft’s identity provider to consent access. Log in using a user able to grant admin consent tenant-wide for the Entra tenant to be integrated, and approve the listed permissions to authorize XDR access.
- When the consent process is successful, you will be redirected back to XDR. Enter a name for the integration (the default value is the Microsoft tenant ID, but can be changed to any applicable name).
-
Click Done to complete the integration with XDR.
Note
Multiple integrations with the same Azure Tenant ID are possible with Active Directory Identity Protection — Risk Detection integration by using a unique name for each Risk Detection integration.
Risk Detection