Aug 02 2021 01:15 PM
A recent deployment of Sentinel has me scratching my head around Windows events originating from on-prem Domain Controllers protected with Microsoft Defender for Identity. We plugged in the Sentinel Data Connector to the MDI instance, and I would have hoped to have seen events get streamed over from MDI. This is required for a number of analytic rules, not to mention visibility within Sentinel for our Managed Security team (of which does not have visibility in to the client’s MDI instance). Is this not the case? Is there a way to get these events streamed over from MDI short of installing the Log Analytics Agent on top of the MDI sensor on the on-prem DC’s?
Aug 03 2021 02:11 AM