Microsoft Graph Security risk indicators
Microsoft Graph Security receives data from the Azure AD Identity Protection or Microsoft Defender for Endpoint security providers, and sends the information to Citrix Analytics.
Azure AD Identity Protection triggers the following risk indicators and sends the information to Microsoft Graph Security:
Anonymous IP address
Impossible travel to atypical locations
Users with leaked credentials
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
Sign-ins from unfamiliar locations
For information about Defender for Endpoint, see Microsoft Defender for Endpoint.
The risk factor associated with the risk indicators is the IP-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.
How to analyze Microsoft Graph Security risk indicators
Consider a user Maria Brown who exhibits one of the risky behaviors mentioned previously. Microsoft detects the incident and generates an alert. Citrix Analytics retrieves this alert and assigns an updated risk score to Maria Brown. Also, the appropriate risk indicator is added to Maria Brown’s risk timeline.
To view the Microsoft Graph Security risk indicator entry for a user, navigate to Security > Users, and select the user.
From Maria’s timeline, you can select the latest risk indicator entry from the risk timeline. Its corresponding detailed information panel appears in the right pane. The WHAT HAPPENED section provides a brief summary of the risk indicator.
How to get more information about the risk indicators
For more information, see Azure Active Directory risk events.
What actions you can apply to the user
Currently, the ability to take appropriate actions on the user’s account through the Microsoft Graph Security data source is not available.
For information on Microsoft Graph Security onboarding, see Microsoft Graph Security.