Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

MS Defender for Identity to SIEM

Copper Contributor

I know that I can forward our MS Defender for Identity logs to a syslog server for our SIEM to ingest/monitor.

 

Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM? 

 

I also found that currently there is no public API for DFI unfortunately.

4 Replies
best response confirmed by witness777 (Copper Contributor)
Solution

@witness777 

 

If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.

Apologies for the huge delay. I have looked into this and this is definitely the way to go. Will mark this as the answer.

I do have one last question. Is there a cost for using Streaming API? I couldn't find any documentation on this.
How about Splunk using threat graph security API?

@witness777 

No, there's no specific cost for the streaming APIs. You do have the cost for the Azure resources you are streaming the event into (eventHub / storage account / etc.).

1 best response

Accepted Solutions
best response confirmed by witness777 (Copper Contributor)
Solution

@witness777 

 

If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.

View solution in original post