Citrix Analytics for Security

Microsoft Graph Security risk indicators

Microsoft Graph Security receives data from the Azure AD Identity Protection or Microsoft Defender for Endpoint security providers, and sends the information to Citrix Analytics.

Azure AD Identity Protection triggers the following risk indicators and sends the information to Microsoft Graph Security:

  • Anonymous IP address

  • Impossible travel to atypical locations

  • Users with leaked credentials

  • Sign-ins from infected devices

  • Sign-ins from IP addresses with suspicious activity

  • Sign-ins from unfamiliar locations

For information about Defender for Endpoint, see Microsoft Defender for Endpoint.

The risk factor associated with the risk indicators is the IP-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

How to analyze Microsoft Graph Security risk indicators

Consider a user Maria Brown who exhibits one of the risky behaviors mentioned previously. Microsoft detects the incident and generates an alert. Citrix Analytics retrieves this alert and assigns an updated risk score to Maria Brown. Also, the appropriate risk indicator is added to Maria Brown’s risk timeline.

To view the Microsoft Graph Security risk indicator entry for a user, navigate to Security > Users, and select the user.

From Maria’s timeline, you can select the latest risk indicator entry from the risk timeline. Its corresponding detailed information panel appears in the right pane. The WHAT HAPPENED section provides a brief summary of the risk indicator.

How to get more information about the risk indicators

For more information, see Azure Active Directory risk events.

What actions you can apply to the user

Currently, the ability to take appropriate actions on the user’s account through the Microsoft Graph Security data source is not available.

For information on Microsoft Graph Security onboarding, see Microsoft Graph Security.

Microsoft Graph Security risk indicators