Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

MS Defender for Identity to SIEM

Copper Contributor

I know that I can forward our MS Defender for Identity logs to a syslog server for our SIEM to ingest/monitor.


Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM? 


I also found that currently there is no public API for DFI unfortunately.

4 Replies
best response confirmed by witness777 (Copper Contributor)



If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.

Apologies for the huge delay. I have looked into this and this is definitely the way to go. Will mark this as the answer.

I do have one last question. Is there a cost for using Streaming API? I couldn't find any documentation on this.
How about Splunk using threat graph security API?


No, there's no specific cost for the streaming APIs. You do have the cost for the Azure resources you are streaming the event into (eventHub / storage account / etc.).