We’re currently forwarding Azure AD Identity Protection logs (Risk Detections / Risky Users) to InsightIDR via Azure Event Hub.
The data is successfully received, but all of these logs appear as Unparsed Logs . there are no AAD_Identity_Protection events categorized under Third-Party Alarms.
Meanwhile, I’ve noticed that:
- Defender for Cloud logs are correctly parsed via Event Hub (supported schema).
- Office 365 logs are ingested via the Cloud Service Activity event source.
- However, based on the latest Rapid7 documentation, it seems that all Defender products (Cloud, Identity, Office 365, Endpoint, etc.) are now expected to be collected through the Microsoft Security (Graph API) connector instead of Event Hub.
So my questions are:
- Should we now migrate all Microsoft security products (Defender for Cloud, O365, Identity Protection, etc.) to the Microsoft Security (Graph API) connector for consistency?
- Is Event Hub ingestion still officially supported for some products (like Cloud or SignInLogs), or is it being phased out?
- Are there any plans for InsightIDR to parse Identity Protection (Risk Detection) logs natively via either Event Hub or the Graph API connector?
Thanks for clarifying the recommended approach . it seems logical to consolidate all Defender-related logs under the Microsoft Security connector if that’s the future-proof method.
