We currently have the Rapid7 SIEM and I’m trying confirm a Microsoft log source. We have Microsoft Defender for Cloud, Endpoint, and Identity. I have seen Defender for Cloud and Endpoint alerts coming into the SIEM but I can’t find Identity alerts. Does any else have Identity configured to feed the SIEM or is it supposed to be by default since the alerts are supposed to feed to Defender for Endpoint?
If you’re talking about things like Risky sign-ins, we’ve got a custom alert that looks for the following in the Ingress Authentication > Azure Event Hub log
source_json.properties.riskState = "atRisk"
1 Like
@dbutler and @matt_robinson,
I made these a while back but let me know if they are helpful, they go against the Ingress Auth for logset for your Azure Event Hub:
groupby("source_json.properties.riskLevelDuringSignIn")
where(source_json.properties.riskLevelDuringSignIn!=none)groupby("source_json.properties.riskLevelDuringSignIn")
where(source_json.properties.riskLevelDuringSignIn=low)groupby(user, result)limit(1000, 1000)
where(source_json.properties.riskLevelDuringSignIn=medium)groupby(user, result)limit(1000, 1000)
where( source_json.properties.riskLevelDuringSignIn=high)groupby(user, result)
where( source_json.properties.riskLevelDuringSignIn=low)groupby(result, source_json.resultDescription)
where( source_json.properties.riskLevelDuringSignIn=medium)groupby(result, source_json.resultDescription)
where( source_json.properties.riskLevelDuringSignIn=high)groupby(result, source_json.resultDescription)
where(source_json.properties.riskState!=none AND source_json.properties.riskState=dismissed)groupby(user, source_json.properties.riskDetail)
where(source_json.properties.riskState!=none)groupby(source_json.properties.riskState)
where(source_json.properties.riskState!=none AND source_json.properties.riskState=dismissed)groupby(user, source_json.properties.riskDetail)
where(source_json.properties.riskState!=none AND source_json.properties.riskState=remediated)groupby(user, source_json.properties.riskDetail)
where(source_json.properties.riskState!=none AND source_json.properties.riskState=atRisk)groupby(user, source_json.properties.riskEventTypes.0)limit(1000)
where(source_json.properties.riskState=atRisk AND source_json.properties.riskEventTypes.0=unlikelyTravel)groupby(user, geoip_country_name)
edit: these are old queries and aren’t taking advantage of the newish LEQL Operators, just FYI. I will try and go back through and update them.
4 Likes