Forum Discussion
Nawel335
Feb 17, 2021Copper Contributor
SIEM / Defender for Identity integration
Hello Everyone,
I am working on the possibility of integrating SIEM and Defender for Identity alerts. I know that there is a possibility to send the alerts from the Defedender cloud to SIEM Splunk, by choosing a single sensor in the configuration that there is in MS documentation, I have some questions:
- I would like to know if there is the possibility of having to configure multiple sensors?
- Is a single sensor sufficient to send all alerts whether they are High, Medium or Low?
- I would also like to know if there is a possibility to send the alerts of the siem SPLUNK to the Defender portal?
Thanks for your help.
Regards
- EliOfek
Microsoft
Nawel335
You can only select one, it should be more than enough to send all the alerts,
As you just get meta data there, the load should not be that high.What info do you want to send from the SIEM to MDI ?
We have such scenario for standalone sensors that are not installed on the DC so they can get the windows events from the SIEM, but if you are using the best practice of installing on the DC itself for full detection capabilities, there should not be a need to add more data from SIEM as we have access to all needed data source from the machine itself...- Nawel335Copper Contributor
EliOfekthank you for your answer.
i'm not using standalone sensor one, i was just wondering if it's possible to do the integration from the SIEM to Defender for Identity.
I wanted to know also if there is any other possible configurations of Splunk to get all the alerts of defender for identity beside this one https://docs.microsoft.com/en-in/defender-for-identity/setting-syslog
can anyone have an idea about that ?
Thanks
- Or Tsemah
Microsoft
While i haven't tested it myself, you could use the Graph API support for Splunk to get all M365 alerts
Microsoft Graph Security API Add-On for Splunk | Splunkbase