Lack of Events from DCs - Prevent Rules

Dean Gross · ‎Aug 02 2021

A recent deployment of Sentinel has me scratching my head around Windows events originating from on-prem Domain Controllers protected with Microsoft Defender for Identity. We plugged in the Sentinel Data Connector to the MDI instance, and I would have hoped to have seen events get streamed over from MDI. This is required for a number of analytic rules, not to mention visibility within Sentinel for our Managed Security team (of which does not have visibility in to the client’s MDI instance). Is this not the case? Is there a way to get these events streamed over from MDI short of installing the Log Analytics Agent on top of the MDI sensor on the on-prem DC’s?

Or Tsemah · ‎Aug 03 2021

You can use the Microsoft 365 Defender connector to sentinel
https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender
However, keep in mind that the Microsoft defender for identity activity tables (from advanced hunting) are not yet available as part of that connector and will be added at a later stage

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Lack of Events from DCs - Prevent Rules

Lack of Events from DCs - Prevent Rules

Re: Lack of Events from DCs - Prevent Rules