Connect data from Azure AD Identity Protection

You can stream logs from Azure AD Identity Protection into Azure Sentinel to stream alerts into Azure Sentinel to view dashboards, create custom alerts, and improve investigation. Azure Active Directory Identity Protection provides a consolidated view at risk users, risk detections and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on Microsoft’s experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion log-ins a day.

Prerequisites

Connect to Azure AD Identity Protection

If you already have Azure AD Identity Protection, make sure it is enabled on your network. If Azure AD Identity Protection is deployed and getting data, the alert data can easily be streamed into Azure Sentinel.

  1. In Azure Sentinel, select Data connectors and then click the Azure AD Identity Protection tile.

  2. Click Connect to start streaming Azure AD Identity Protection events into Azure Sentinel.

  3. To use the relevant schema in Log Analytics for the Azure AD Identity Protection alerts, search for IdentityProtectionLogs_CL.

Next steps

In this document, you learned how to connect Azure AD Identity Protection to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: