Forum Discussion

Nawel335's avatar
Nawel335
Copper Contributor
Feb 17, 2021

SIEM / Defender for Identity integration

Hello Everyone,

I am working on the possibility of integrating SIEM and Defender for Identity alerts. I know that there is a possibility to send the alerts from the Defedender cloud to SIEM Splunk, by choosing a single sensor in the configuration that there is in MS documentation, I have some questions:

  • I would like to know if there is the possibility of having to configure multiple sensors?
  • Is a single sensor sufficient to send all alerts whether they are High, Medium or Low?
  • I would also like to know if there is a possibility to send the alerts of the siem SPLUNK to the Defender portal?

Thanks for your help.

 

Regards

  • Nawel335 
    You can only select one, it should be more than enough to send all the alerts,
    As you just get meta data there, the load should not be that high.

     

    What info do you want to send from the SIEM to MDI ?
    We have such scenario for standalone sensors that are not installed on the DC so they can get the windows events from the SIEM, but if you are using the best practice of installing on the DC itself for full detection capabilities, there should not be a need to add more data from SIEM as we have access to all needed data source from the machine itself... 

Resources