Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Ingesting Purview compliance DLP logs to Splunk

Copper Contributor

We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement:

Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.

 

4 Replies

@Singh123999  thanks for the input.

I explored this option  Office 365 Management Activity API schema | Microsoft Learn however we can also use Defender logs ingestion to Splunk using Defender https://apps.splunk.com/app/4959/  since DLP feeds alerts and incidents to Defender security portal as well. Apart from this, we can utilize graph security API also to ingest feeds to Splunk (https://learn.microsoft.com/en-us/answers/questions/1139341/graph-api-security-get-related-activitie...) However I am not sure which option will be feasible in this case. If you have any inputs on this

Hi @KashifKloudy,
I wondered how this was progressing, i am interested in the exact same as you "push MIP DLP related alerts, incidents and data to Splunk SIEM". I wondered how this has progressed since you last posted, could you share what you did, and what has been successful please
Thanks
Brad
Would love to know any update on this as well

Thx