MS Defender for Identity to SIEM

witness777 · ‎May 04 2022

I know that I can forward our MS Defender for Identity logs to a syslog server for our SIEM to ingest/monitor.

Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM?

I also found that currently there is no public API for DFI unfortunately.

witness777 · ‎May 06 2022

If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs

Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.

witness777 · ‎May 31 2022

Apologies for the huge delay. I have looked into this and this is definitely the way to go. Will mark this as the answer.

I do have one last question. Is there a cost for using Streaming API? I couldn't find any documentation on this.

JoeMJoeM · ‎Jun 16 2022

How about Splunk using threat graph security API?

Martin_Schvartzman · ‎Jun 16 2022

@witness777

No, there's no specific cost for the streaming APIs. You do have the cost for the Azure resources you are streaming the event into (eventHub / storage account / etc.).

MS Defender for Identity to SIEM

MS Defender for Identity to SIEM

Re: MS Defender for Identity to SIEM

Re: MS Defender for Identity to SIEM

Re: MS Defender for Identity to SIEM

Re: MS Defender for Identity to SIEM

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

MS Defender for Identity to SIEM