Forum Discussion

Silver Contributor

Dec 08, 2022

MDI Health Alerts - Send to Sentinel

What is the best way to ensure that MDI health alerts like "Directory Services Advanced Auditing is not enabled" show as an alert in Sentinel?

security posture

Martin_Schvartzman

Microsoft

Dec 15, 2022

Dean_Gross

There is no direct pipe for the health alerts to Sentinel.

As GershonLevitz-MSFT suggested in the Teams channel, you could use the syslog capability in MDI to get them into a server in your environment and then forward them to Sentinel using the log analytics agent. See Connect Syslog data to Microsoft Sentinel | Microsoft Learn

Dean_Gross

Silver Contributor

Dec 15, 2022

Thanks for the workaround, are there any plans to add this basic functionality? I don't think that we should have to do extra work like this after we have already configured the sensors and since the health data is already visible in M365 Security center

Martin_Schvartzman
Microsoft
Dec 18, 2022
Dean_Gross

Yes. Native forwarding the MDI health alerts to Sentinel is being evaluated.
- Dean_Gross
  Silver Contributor
  Jan 02, 2023
  FYI, for anyone else interested in this topic, an approach is described here https://cloudbrothers.info/en/integrate-mdi-health-alerts-microsoft-sentinel/
  - Docyx
    Copper Contributor
    Nov 22, 2023
    Dean_Gross
    Hi everyone
    
    I created an analytics rule based on the Cloudbrother tutorial.
    But the problem with this is that we cannot retrieve the name of the DC that has an issue. Is it possible to extract the content of the e-mails or something ?
    
    I would like to be able to add the DC's name to the created incident.
    My final goal is to send the health alerts, with the DC concerned into a Microsoft Teams discussion, so if there is an alternative or more direct way to do this I would be happy to know it.
    
    Does anyone have any idea how to do this ?