Forum Discussion
Solved
MS Defender for Identity to SIEM
I know that I can forward our MS Defender for Identity logs to a syslog server for our SIEM to ingest/monitor.
Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM?
I also found that currently there is no public API for DFI unfortunately.
If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs
Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.
- Martin_Schvartzman
Microsoft
If you are using Sentinel, you can use native connector, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs
Or you could use the streaming API to export events to a storage account or to an event hub and get them to your SIEM from there. See Announcing Microsoft 365 Defender Streaming API Public Preview - Microsoft Tech Community. Note that MDI events are currently in public preview.
- Apologies for the huge delay. I have looked into this and this is definitely the way to go. Will mark this as the answer.
I do have one last question. Is there a cost for using Streaming API? I couldn't find any documentation on this.- Martin_Schvartzman
No, there's no specific cost for the streaming APIs. You do have the cost for the Azure resources you are streaming the event into (eventHub / storage account / etc.).
