MDI Health Alerts - Send to Sentinel

Question

What is the best way to ensure that MDI health alerts like&nbsp;"Directory Services Advanced Auditing is not enabled" show as an alert in Sentinel?

martin_schvartzman · Answer

Dean_Gross&nbsp;
Yes. Native forwarding the MDI health alerts to Sentinel is being evaluated.

martin_schvartzman · Answer

Dean_Gross&nbsp;
There is no direct pipe for the health alerts to Sentinel.
As&nbsp;GershonLevitz-MSFT&nbsp;suggested in the Teams channel, you could use the syslog capability in MDI to get them into a server in your environment and then forward them to Sentinel using the log analytics agent. See&nbsp;Connect Syslog data to Microsoft Sentinel | Microsoft Learn

dean_gross · Answer

Thanks for the workaround, are there any plans to add this basic functionality? I don't think that we should have to do extra work like this after we have already configured the sensors and since the health data is already visible in M365 Security center

dean_gross · Answer

FYI, for anyone else interested in this topic, an approach is described here https://cloudbrothers.info/en/integrate-mdi-health-alerts-microsoft-sentinel/

docyx · Answer

Dean_Gross&nbsp;Hi everyone&nbsp;I created an analytics rule based on the Cloudbrother tutorial.But the problem with this is that we cannot retrieve the name of the DC that has an issue. Is it possible to extract the content of the e-mails or something ?&nbsp;I would like to be able to add the DC's name to the created incident.My final goal is to send the health alerts, with the DC concerned into a Microsoft Teams discussion, so if there is an alternative or more direct way to do this I would be happy to know it.&nbsp;Does anyone have any idea how to do this ?

Forum Discussion

MDI Health Alerts - Send to Sentinel

Share