SIEM / Defender for Identity integration

%3CLINGO-SUB%20id%3D%22lingo-sub-2142293%22%20slang%3D%22en-US%22%3ESIEM%20%2F%20Defender%20for%20Identity%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2142293%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EHello%20Everyone%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EI%20am%20working%20on%20the%20possibility%20of%20integrating%20SIEM%20and%20Defender%20for%20Identity%20alerts.%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EI%20know%20that%20there%20is%20a%20possibility%20to%20send%20the%20alerts%20from%20the%20Defedender%20cloud%20to%20SIEM%20Splunk%2C%20by%20choosing%20a%20single%20sensor%20in%20the%20configuration%20that%20there%20is%20in%20MS%20documentation%2C%20I%20have%20some%20questions%3A%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EI%20would%20like%20to%20know%20if%20there%20is%20the%20possibility%20of%20having%20to%20configure%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3Emultiple%20sensors%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EIs%20a%20single%20sensor%20sufficient%20to%20send%20all%20alerts%20whether%20they%20are%20High%2C%20Medium%20or%20Low%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EI%20would%20also%20like%20to%20know%20if%20there%20is%20a%20possibility%20to%20send%20the%20alerts%20of%20the%20siem%20SPLUNK%20to%20the%20Defender%20portal%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3EThanks%20for%20your%20help.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2142469%22%20slang%3D%22en-US%22%3ERe%3A%20SIEM%20%2F%20Defender%20for%20Identity%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2142469%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F954755%22%20target%3D%22_blank%22%3E%40Nawel335%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EYou%20can%20only%20select%20one%2C%20it%20should%20be%20more%20than%20enough%20to%20send%20all%20the%20alerts%2C%3CBR%20%2F%3EAs%20you%20just%20get%20meta%20data%20there%2C%20the%20load%20should%20not%20be%20that%20high.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20info%20do%20you%20want%20to%20send%20from%20the%20SIEM%20to%20MDI%20%3F%3CBR%20%2F%3EWe%20have%20such%20scenario%20for%20standalone%20sensors%20that%20are%20not%20installed%20on%20the%20DC%20so%20they%20can%20get%20the%20windows%20events%20from%20the%20SIEM%2C%20but%20if%20you%20are%20using%20the%20best%20practice%20of%20installing%20on%20the%20DC%20itself%20for%20full%20detection%20capabilities%2C%20there%20should%20not%20be%20a%20need%20to%20add%20more%20data%20from%20SIEM%20as%20we%20have%20access%20to%20all%20needed%20data%20source%20from%20the%20machine%20itself...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2145614%22%20slang%3D%22en-US%22%3ERe%3A%20SIEM%20%2F%20Defender%20for%20Identity%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2145614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3Ethank%20you%20for%20your%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei'm%20not%20using%20standalone%20sensor%20one%2C%20i%20was%20just%20wondering%20if%20it's%20possible%20to%20do%20the%20integration%20from%20the%20SIEM%20to%20Defender%20for%20Identity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wanted%20to%20know%20also%20if%20there%20is%20any%20other%20possible%20configurations%20of%20Splunk%20to%20get%20all%20the%20alerts%20of%20defender%20for%20identity%20beside%20this%20one%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Fdefender-for-identity%2Fsetting-syslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Fdefender-for-identity%2Fsetting-syslog%20%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecan%20anyone%20have%20an%20idea%20about%20that%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello Everyone,

I am working on the possibility of integrating SIEM and Defender for Identity alerts. I know that there is a possibility to send the alerts from the Defedender cloud to SIEM Splunk, by choosing a single sensor in the configuration that there is in MS documentation, I have some questions:

  • I would like to know if there is the possibility of having to configure multiple sensors?
  • Is a single sensor sufficient to send all alerts whether they are High, Medium or Low?
  • I would also like to know if there is a possibility to send the alerts of the siem SPLUNK to the Defender portal?

Thanks for your help.

 

Regards

4 Replies

@Nawel335 
You can only select one, it should be more than enough to send all the alerts,
As you just get meta data there, the load should not be that high.

 

What info do you want to send from the SIEM to MDI ?
We have such scenario for standalone sensors that are not installed on the DC so they can get the windows events from the SIEM, but if you are using the best practice of installing on the DC itself for full detection capabilities, there should not be a need to add more data from SIEM as we have access to all needed data source from the machine itself... 

@Eli Ofekthank you for your answer.

 

i'm not using standalone sensor one, i was just wondering if it's possible to do the integration from the SIEM to Defender for Identity.

 

I wanted to know also if there is any other possible configurations of Splunk to get all the alerts of defender for identity beside this one https://docs.microsoft.com/en-in/defender-for-identity/setting-syslog

 

can anyone have an idea about that ?

 

Thanks

@Nawel335 Not natively within MDI, but if you turn on the Cloud App Security integration,
you might have options there I am not familiar with.

@Nawel335 

While i haven't tested it myself, you could use the Graph API support for Splunk to get all M365 alerts

Microsoft Graph Security API Add-On for Splunk | Splunkbase