MS Defender for Identity to SIEM

%3CLINGO-SUB%20id%3D%22lingo-sub-3316916%22%20slang%3D%22en-US%22%3EMS%20Defender%20for%20Identity%20to%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3316916%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20that%20I%20can%20forward%20our%20MS%20Defender%20for%20Identity%20logs%20to%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fsetting-syslog%23%3A~%3Atext%3DMicrosoft%2520Defender%2520for%2520Identity%2520can%2Cserver%2520through%2520a%2520nominated%2520sensor.%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Esyslog%20server%3C%2FA%3E%20for%20our%20SIEM%20to%20ingest%2Fmonitor.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20other%20way%20aside%20from%20this%20method%20to%20get%20logs%20from%20MS%20Defender%20for%20Identity%20to%20SIEM%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20found%20that%20currently%20there%20is%20no%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-identity%2Fapi-for-defender-for-identity-portal%2Fm-p%2F3114344%22%20target%3D%22_self%22%3Epublic%20API%3C%2FA%3E%20for%20DFI%20unfortunately.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3316916%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Elogging%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3333783%22%20slang%3D%22en-US%22%3ERe%3A%20MS%20Defender%20for%20Identity%20to%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3333783%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1353084%22%20target%3D%22_blank%22%3E%40witness777%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20using%20Sentinel%2C%20you%20can%20use%20native%20connector%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fmicrosoft-365-defender-sentinel-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Defender%20integration%20with%20Microsoft%20Sentinel%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EOr%20you%20could%20use%20the%20streaming%20API%20to%20export%20events%20to%20a%20storage%20account%20or%20to%20an%20event%20hub%20and%20get%20them%20to%20your%20SIEM%20from%20there.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-365-defender-blog%2Fannouncing-microsoft-365-defender-streaming-api-public-preview%2Fba-p%2F2410767%22%20target%3D%22_blank%22%3EAnnouncing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%20-%20Microsoft%20Tech%20Community%3C%2FA%3E.%20Note%20that%20MDI%20events%20are%20currently%20in%20public%20preview.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I know that I can forward our MS Defender for Identity logs to a syslog server for our SIEM to ingest/monitor.

 

Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM? 

 

I also found that currently there is no public API for DFI unfortunately.

1 Reply

@witness777 

 

If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.