Lack of Events from DCs - Prevent Rules

%3CLINGO-SUB%20id%3D%22lingo-sub-2599592%22%20slang%3D%22en-US%22%3ELack%20of%20Events%20from%20DCs%20-%20Prevent%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2599592%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EA%20recent%20deployment%20of%20Sentinel%20has%20me%20scratching%20my%20head%20around%20Windows%20events%20originating%20from%20on-prem%20Domain%20Controllers%20protected%20with%20Microsoft%20Defender%20for%20Identity.%26nbsp%3B%20We%20plugged%20in%20the%20Sentinel%20Data%20Connector%20to%20the%20MDI%20instance%2C%20and%20I%20would%20have%20hoped%20to%20have%20seen%20events%20get%20streamed%20over%20from%20MDI.%26nbsp%3B%20This%20is%20required%20for%20a%20number%20of%20analytic%20rules%2C%20not%20to%20mention%20visibility%20within%20Sentinel%20for%20our%20Managed%20Security%20team%20(of%20which%20does%20not%20have%20visibility%20in%20to%20the%20client%E2%80%99s%20MDI%20instance).%26nbsp%3B%20Is%20this%20not%20the%20case%3F%26nbsp%3B%20Is%20there%20a%20way%20to%20get%20these%20events%20streamed%20over%20from%20MDI%20short%20of%20installing%20the%20Log%20Analytics%20Agent%20on%20top%20of%20the%20MDI%20sensor%20on%20the%20on-prem%20DC%E2%80%99s%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2603378%22%20slang%3D%22en-US%22%3ERe%3A%20Lack%20of%20Events%20from%20DCs%20-%20Prevent%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2603378%22%20slang%3D%22en-US%22%3EYou%20can%20use%20the%20Microsoft%20365%20Defender%20connector%20to%20sentinel%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-365-defender%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-365-defender%3C%2FA%3E%3CBR%20%2F%3EHowever%2C%20keep%20in%20mind%20that%20the%20Microsoft%20defender%20for%20identity%20activity%20tables%20(from%20advanced%20hunting)%20are%20not%20yet%20available%20as%20part%20of%20that%20connector%20and%20will%20be%20added%20at%20a%20later%20stage%3C%2FLINGO-BODY%3E
Respected Contributor

A recent deployment of Sentinel has me scratching my head around Windows events originating from on-prem Domain Controllers protected with Microsoft Defender for Identity.  We plugged in the Sentinel Data Connector to the MDI instance, and I would have hoped to have seen events get streamed over from MDI.  This is required for a number of analytic rules, not to mention visibility within Sentinel for our Managed Security team (of which does not have visibility in to the client’s MDI instance).  Is this not the case?  Is there a way to get these events streamed over from MDI short of installing the Log Analytics Agent on top of the MDI sensor on the on-prem DC’s?

1 Reply
You can use the Microsoft 365 Defender connector to sentinel
https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender
However, keep in mind that the Microsoft defender for identity activity tables (from advanced hunting) are not yet available as part of that connector and will be added at a later stage