Microsoft Entra Risk Detection Integration Guide

The following instructions are for configuring an integration of Microsoft Entra Risk Detection logs to facilitate ingestion into Secureworks® Taegis™ XDR. For more information, see Entra Identity Protection Risk Detection Overview.

Important

This integration requires a Microsoft Entra premium license.

XDR supports two integration paths for Entra logs:

• (Preferred) Integrate via Azure Event Hubs — This option is preferred due to it providing the fastest and highest throughput of data, however it may incur additional costs to enable.
• Integrate via Microsoft Graph API (REST) — This option provides equivalent data to event hubs, but due to the polling nature of a REST-based API in addition to Microsoft rate-limiting, there may be limitations with how quickly data can be collected. See Office 365 and Azure Data Availability for information on our polling practices.

Data Provided from Integration

	Normalized Data	Out-of-the-Box Detections	Vendor-Specific Detections
MS Azure Active Directory Identity Protection			CloudAudit, Thirdparty

Start Event Hubs Integration

To integrate via event hubs, follow the integration instructions for Entra with an event hub.

Register an Application in Azure

1. Register an application in the Azure portal.

   • Name — Any descriptive string
   • Supported account types — Accounts in this organizational directory only

   Note

   Record the following values as they are used to create the integration in XDR:

   • Directory (tenant) ID
   • Application (client) ID

2. Configure application permissions. The following permission is required:

   • IdentityRiskEvent.Read.All (application permission)

3. Click Grant admin consent for <Azure tenant name>.

4. Provide credentials for the application by uploading a certificate.

Important

Certificates will expire and need to be renewed both with Microsoft Entra ID and with XDR to allow for continued functionality before their expiration date.

Important

XDR supports ONLY the Privacy-Enhanced Mail (PEM) format. More information on the PEM format can be found in RFC 7468.

Encrypted keys and client secrets are NOT supported.

Note

Self-signed certificates are supported.

Use one of the following commands to generate a self-signed PEM (.pem extension) certificate using PowerShell or OpenSSL:

PowershellOpenSSL

# Prompt user for input

$certname = Read-Host -Prompt "Enter certificate name"
$keyname = Read-Host -Prompt "Enter key name"
$mypwd = Read-Host -Prompt "Enter password" -AsSecureString
$location = Read-Host -Prompt "Enter location"
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-PfxCertificate -Cert $cert -FilePath "$location\$certname.pfx" -Password $mypwd
Install-Module -Name PSPKI -Scope CurrentUser
Import-Module -Name PSPKI
Convert-PfxToPem -InputFile "$location\$certname.pfx" -Outputfile "$location\$certname.pem"
# Read the PEM file content

$pemContent = Get-Content "$location\$certname.pem" -Raw
# Extract private key and certificate

$privateKey = $pemContent -replace "(?ms).*?(-----BEGIN PRIVATE KEY-----.+?-----END PRIVATE KEY-----).*", '$1'
$certificate = $pemContent -replace "(?ms).*?(-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----).*", '$1'
# Save private key and certificate to separate files

$privateKey | Set-Content "$location\$keyname.pem"
$certificate | Set-Content "$location\$certname.pem"
Write-Host "Files located at: $location"
pause

Note

Copy and paste the preceding code into a text file, save the file with a .ps1 extension (e.g., CertGen.ps1), and run the script using PowerShell.

Note

Depending on the PowerShell version being used, you may need to replace -Subject with -SubjectName if there are any errors with -Subject.

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Add Integration in XDR

1. From the Taegis Menu, go to Integrations → Cloud APIs.

2. Click Add an Integration from the top of the page.

   

   Add an Integration

3. From the Optimized tab, click Office 365/Azure.

4. Choose Set Up under Azure Active Directory Identity Protection - Risk Detection.
5. Enter a name for the integration. This can be any string.
6. Enter the Tenant ID and the Application Client ID from Step 1 in the Register an Application in Azure section.
7. Upload the certificate and its associated private key.
8. Select Done to complete the integration with XDR.

Create the Integration