cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sentinel missing Entra ID risky user

TheHoff70
Brass Contributor

‎Dec 13 2023 04:44 AM

‎Dec 13 2023 04:44 AM

Sentinel missing Entra ID risky user

Greetings

I feel I need to get some input on a serious omission I came across today on Sentinels part. A user had somehow gone fed up with MFA notifications on the Microsoft Authenticator, we use number matching, and the user opted to deny several notifications. This caused Entra ID protection to flag the user as compromised and lock the users account. So far everything went according to plan

TheHoff70_0-1702470849538.png

However none of this appeared in our Sentinel tenant which has a data connector to Entra ID protection and is reporting other Entra ID Protection events. Since we do not have SOC monitoring on anything but Sentinel this omission caused the user to be denied access to Office365 for longer than was intended.

So far I've dug up the event from AADUserRiskEvents Log Analytics table which lists the event as expected.

TheHoff70_1-1702471085466.png

But there is no listing in any Sentinel related tables like SecurityAlerts and there is no trace what so ever in Sentinel for the incident in question.

 

Am I missing something or is there a bug somewhere?

 

Regards

Fredrik

 

542 Views
0 Likes
2 Replies
Reply
2 Replies
GBushey

‎Dec 13 2023 06:15 AM

‎Dec 13 2023 06:15 AM

Re: Sentinel missing Entra ID risky user

The data connector will populate the ADDUSerRIskEvents table, like you just saw. If you look at the "Microsoft Entra ID" data connector, you will see the listing of tables that it will populate. The only way you would be notified about the event is if you have an Analytic Rule to query this table for the event.
0 Likes
Reply
TheHoff70

‎Dec 14 2023 12:00 AM

‎Dec 14 2023 12:00 AM

Re: Sentinel missing Entra ID risky user

I get it and I have a few NRT rules that query the SigninLogs table and others for events related to user risk but to me it seems like a faulty design when not even the native Microsoft Entra ID protection analtyics rule generate an incident in Sentinel.
0 Likes
Reply