MS Defender for Identity to SIEM

Occasional Contributor

I know that I can forward our MS Defender for Identity logs to a syslog server for our SIEM to ingest/monitor.


Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM? 


I also found that currently there is no public API for DFI unfortunately.

1 Reply



If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.