Forum Discussion

Copper Contributor

May 04, 2022

Solved

MS Defender for Identity to SIEM

I know that I can forward our MS Defender for Identity logs to a https://docs.microsoft.com/en-us/defender-for-identity/setting-syslog#:~:text=Microsoft%20Defender%20for%20Identity%20can,server%20thr...

logging

microsoft 365 defender

Martin_Schvartzman
May 06, 2022
witness777

If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.

Martin_Schvartzman

Microsoft

May 06, 2022

witness777

If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.

witness777

Copper Contributor

May 31, 2022

Apologies for the huge delay. I have looked into this and this is definitely the way to go. Will mark this as the answer.

I do have one last question. Is there a cost for using Streaming API? I couldn't find any documentation on this.

Martin_Schvartzman
Microsoft
Jun 16, 2022
witness777

No, there's no specific cost for the streaming APIs. You do have the cost for the Azure resources you are streaming the event into (eventHub / storage account / etc.).
JoeMJoeM
Copper Contributor
Jun 16, 2022
How about Splunk using threat graph security API?