Add Identity Query Provider (MDI, Bloodhound neo4j db or json, PingCastle xml files, other)

[juju4]

Describe the solution you'd like First use is enrichment of alerts on service principal/upn and more consolidate view of identities that what recent logs can do

On MDI use cases First is validating tools coverage for an environment, windows domain here. Alerting part is normally accessible through Sentinel. Not sure if direct provider needed but can argue the same for MDE and sentinel alert have usually less information compared to source tool. Not sure if there are other data that would be useful, still new to the tool and exploring (and tuning alerts…).

Describe alternatives you've considered At this point, only manual extraction of above or (re)implement REST API or ldap queries in python.

[ianhelle]

Hey Julien - are you proposing this as a feature that you would like to contribute? Sounds cool either way but it definitely has more chance of seeing the light of day if you have the time to work on this.

One thing that might be an interesting addition is the SensServa library - this builds a kind of access control model from AAD. There's a notebook in the Azure-Sentinel-Notebooks repo showing this.