cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ingesting Purview compliance DLP logs to Splunk

KashifKloudy
Copper Contributor

‎Jan 24 2024 11:27 PM

‎Jan 24 2024 11:27 PM

Ingesting Purview compliance DLP logs to Splunk

We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement:

Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.

 

1,297 Views
0 Likes
2 Replies
Reply
2 Replies
Singh123999

‎Feb 06 2024 12:07 PM - edited ‎Feb 06 2024 12:07 PM

‎Feb 06 2024 12:07 PM - edited ‎Feb 06 2024 12:07 PM

Re: Ingesting Purview compliance DLP logs to Splunk

@KashifKloudy possibly look into Office 365 Management Activity API schema | Microsoft Learn

0 Likes
Reply
KashifKloudy

‎Feb 08 2024 06:40 AM

‎Feb 08 2024 06:40 AM

Re: Ingesting Purview compliance DLP logs to Splunk

@Singh123999  thanks for the input.

I explored this option  Office 365 Management Activity API schema | Microsoft Learn however we can also use Defender logs ingestion to Splunk using Defender https://apps.splunk.com/app/4959/  since DLP feeds alerts and incidents to Defender security portal as well. Apart from this, we can utilize graph security API also to ingest feeds to Splunk (https://learn.microsoft.com/en-us/answers/questions/1139341/graph-api-security-get-related-activitie...) However I am not sure which option will be feasible in this case. If you have any inputs on this

0 Likes
Reply