Forum Discussion

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Aug 02, 2021

Lack of Events from DCs - Prevent Rules

A recent deployment of Sentinel has me scratching my head around Windows events originating from on-prem Domain Controllers protected with Microsoft Defender for Identity.  We plugged in the Sentinel Data Connector to the MDI instance, and I would have hoped to have seen events get streamed over from MDI.  This is required for a number of analytic rules, not to mention visibility within Sentinel for our Managed Security team (of which does not have visibility in to the client’s MDI instance).  Is this not the case?  Is there a way to get these events streamed over from MDI short of installing the Log Analytics Agent on top of the MDI sensor on the on-prem DC’s?

Resources