This article discusses how you can use the Stories Workbench to review XDR stories for sign-in anomalies detected in Microsoft Entra ID Protection alerts.
Microsoft Entra ID Protection helps organizations detect identity-based risks for their Entra ID tenant, such as anomalous sign-ins that may indicate malicious activity. Using the Microsoft API, you can integrate alert data from Microsoft Entra ID Protection to generate Cato XDR stories. This lets analysts include data from risky sign-ins within the broader context of XDR investigations. The Cato Entra Identity Alert engine creates a story by correlating data from Entra ID Protection alerts that occurred for the same user within a 24-hour period. The Stories Workbench shows the Entra Identity Alert stories together with the other story types, and you can sort and filter the stories to focus on the Entra Identity Alert stories.
You can also enrich Entra Identity Alert stories by integrating sign-in event data from Microsoft Entra ID. This provides context of the user's usual sign-in behavior which can be compared with the anomalous alert data provided by Entra ID Protection.
-
XDR stories for Microsoft Entra ID Protection alerts require configuring the Microsoft Entra ID Protection connector. For more about configuring the connector including the required Microsoft licenses and permissions, see Configuring the Microsoft Entra ID Protection Connector for Sign-In Anomaly Data.
-
For sign-in event data in the Sign-In Events and Sign-In Events on the User widgets, configuring the Microsoft Entra ID connector is required. For more about configuring the connector including the required Microsoft license and permissions, see Configuring the Microsoft Entra ID (Azure AD) Connector.
Note
Notes:
-
If you configure only the Microsoft Entra ID Protection connector, Entra Identity Alert stories are generated, however the Sign-In Events and Sign-In Events on the User widgets show no data.
-
If you configure only the Microsoft Entra ID connector, no Entra Identity Alert stories are generated.
The Stories Workbench page shows a summary of the stories for the potential threats in your account.
For information about the columns in the Stories Workbench see Understanding the Stories Columns
You can group and filter the stories according to the Entra Identity Alert story type to quickly find stories for sign-in anomalies. For more about grouping and filtering stories, see Reviewing Detection & Response (XDR) Stories in the Stories Workbench.
You can click on a story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat identified in the story.
When you drill-down to investigate an Entra Identity Alert story, you can review all the Entra ID Protection alerts that the story is based on, and examine the data that relates to each alert.
To add context to the alerts, you can also review data from the user's sign-in events from the day of the alert and the preceding 2 days (requires Entra ID connector. See above, Prerequisites).
These are the story drill-down widgets:
Item |
Name |
Description |
---|---|---|
1 |
Story summary |
A summary of basic information about the story, including:
Story settings such as Analyst Verdict, Analyst Severity, Status, Type, and Classification are managed with the Manage Story option under the Actions button. |
2 |
Shows a timeline of the story, such as changes made to the story verdict and severity, and when new Alerts are added to the story |
|
3 |
Details |
Basic information for analyzing the story, including:
|
4 |
Source |
The user name and email address associated with the sign-ins in the alert |
5 |
Sign-In Events (This widget requires the Microsoft Entra ID connector) |
Charts with breakdowns of data from sign-in events for the user from the day of the alert plus the preceding 2 days. Use the dropdown to choose the data type shown on the charts. These are the options:
|
6 |
Alerts |
Shows details for the alerts related to the story. These are the columns in the Alerts table:
|
7 |
Sign-In Events on the User (This widget requires the Microsoft Entra ID connector) |
Shows data from the user's sign-in events from the day of the alert and the preceding 2 days. These are the columns in the table:
|
0 comments
Article is closed for comments.