MDI Health Alerts - Send to Sentinel

Silver Contributor

What is the best way to ensure that MDI health alerts like "Directory Services Advanced Auditing is not enabled" show as an alert in Sentinel?

5 Replies

@Dean Gross 

There is no direct pipe for the health alerts to Sentinel.

As @Gershon Levitz suggested in the Teams channel, you could use the syslog capability in MDI to get them into a server in your environment and then forward them to Sentinel using the log analytics agent. See Connect Syslog data to Microsoft Sentinel | Microsoft Learn

Thanks for the workaround, are there any plans to add this basic functionality? I don't think that we should have to do extra work like this after we have already configured the sensors and since the health data is already visible in M365 Security center

@Dean Gross 

Yes. Native forwarding the MDI health alerts to Sentinel is being evaluated.

FYI, for anyone else interested in this topic, an approach is described here https://cloudbrothers.info/en/integrate-mdi-health-alerts-microsoft-sentinel/

@Dean Gross 

Hi everyone

 

I created an analytics rule based on the Cloudbrother tutorial.

But the problem with this is that we cannot retrieve the name of the DC that has an issue. Is it possible to extract the content of the e-mails or something ?

 

I would like to be able to add the DC's name to the created incident.

My final goal is to send the health alerts, with the DC concerned into a Microsoft Teams discussion, so if there is an alternative or more direct way to do this I would be happy to know it.

 

Does anyone have any idea how to do this ?