Feb 17 2021 01:24 AM
Hello Everyone,
I am working on the possibility of integrating SIEM and Defender for Identity alerts. I know that there is a possibility to send the alerts from the Defedender cloud to SIEM Splunk, by choosing a single sensor in the configuration that there is in MS documentation, I have some questions:
Thanks for your help.
Regards
Feb 17 2021 02:10 AM
@Nawel335
You can only select one, it should be more than enough to send all the alerts,
As you just get meta data there, the load should not be that high.
What info do you want to send from the SIEM to MDI ?
We have such scenario for standalone sensors that are not installed on the DC so they can get the windows events from the SIEM, but if you are using the best practice of installing on the DC itself for full detection capabilities, there should not be a need to add more data from SIEM as we have access to all needed data source from the machine itself...
Feb 18 2021 12:33 AM
@EliOfekthank you for your answer.
i'm not using standalone sensor one, i was just wondering if it's possible to do the integration from the SIEM to Defender for Identity.
I wanted to know also if there is any other possible configurations of Splunk to get all the alerts of defender for identity beside this one https://docs.microsoft.com/en-in/defender-for-identity/setting-syslog
can anyone have an idea about that ?
Thanks
Feb 18 2021 02:23 AM
@Nawel335 Not natively within MDI, but if you turn on the Cloud App Security integration,
you might have options there I am not familiar with.
Feb 20 2021 11:45 PM
While i haven't tested it myself, you could use the Graph API support for Splunk to get all M365 alerts
Microsoft Graph Security API Add-On for Splunk | Splunkbase