Hi Team,
Is there any way to capture the Risky Sign-ins from Azure into Splunk so that will be helpful to implement the same in our environment.
Kindly note we have already installed Splunk Add-on For Microsoft services in our Search Head server. But not sure how to proceed further to capture the Risky Sign-ins from Azure environment.
index=* "riskState" | spath riskState | search riskState=atRisk
Sorry to resurrect a superdead thread, but we are dealing with the same issue 2 years later. Is there an app that is able to import Risky Sign-ins, Risky Users and the like from Azure AD Identity Security into Splunk?
The Splunk Add-on for Microsoft Cloud Services does not currently integrate with the Azure AD Identity Protection graph API (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-graph-ge... ) You can use the Splunk Add-on builder to interface with this API to pull these events though.
I think this app will fill the gap @jconger describes:
Can anyone help on this request
Can anyone help?