MDI Health Alerts - Send to Sentinel

Silver Contributor

What is the best way to ensure that MDI health alerts like "Directory Services Advanced Auditing is not enabled" show as an alert in Sentinel?

4 Replies

@Dean Gross 

There is no direct pipe for the health alerts to Sentinel.

As @Gershon Levitz suggested in the Teams channel, you could use the syslog capability in MDI to get them into a server in your environment and then forward them to Sentinel using the log analytics agent. See Connect Syslog data to Microsoft Sentinel | Microsoft Learn

Thanks for the workaround, are there any plans to add this basic functionality? I don't think that we should have to do extra work like this after we have already configured the sensors and since the health data is already visible in M365 Security center

@Dean Gross 

Yes. Native forwarding the MDI health alerts to Sentinel is being evaluated.

FYI, for anyone else interested in this topic, an approach is described here