Jan 24 2024 11:27 PM
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement:
Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.
Feb 06 2024 12:07 PM - edited Feb 06 2024 12:07 PM
@KashifKloudy possibly look into Office 365 Management Activity API schema | Microsoft Learn
Feb 08 2024 06:40 AM
@Singh123999 thanks for the input.
I explored this option Office 365 Management Activity API schema | Microsoft Learn however we can also use Defender logs ingestion to Splunk using Defender https://apps.splunk.com/app/4959/ since DLP feeds alerts and incidents to Defender security portal as well. Apart from this, we can utilize graph security API also to ingest feeds to Splunk (https://learn.microsoft.com/en-us/answers/questions/1139341/graph-api-security-get-related-activitie...) However I am not sure which option will be feasible in this case. If you have any inputs on this