...
The Entra ID collector is run the same way as an Event Hub Azure collector.
Secure it
Devo Exchange provides different Alerts Packs to help you monitor Entra ID data:
...
an authentication alert pack that detects malicious authentication patterns
...
, including Entra ID authentication.
Data destruction attempt
Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.
...