Forum Discussion
Ingesting Purview compliance DLP logs to Splunk
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement:
- Splunk add on for Microsoft security is available: The Splunk Add-on for Microsoft Security is now available - Microsoft Community Hub but this does not talk about Purview DLP logs.
- This add-on is available for Splunk but only says MIP can be integrated however does not talk about DLP logs: Microsoft Graph Security API Add-On for Splunk | Splunkbase
- As per few articles we can also ingest Defender logs to Azure event hub then event hub can be connected to splunk.
Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.
KashifKloudy, I haven't found anything outside of what was shared. Do you have any experience now to share how you proceeded?
Singh123999 thanks for the input.
I explored this option Office 365 Management Activity API schema | Microsoft Learn however we can also use Defender logs ingestion to Splunk using Defender https://apps.splunk.com/app/4959/ since DLP feeds alerts and incidents to Defender security portal as well. Apart from this, we can utilize graph security API also to ingest feeds to Splunk (https://learn.microsoft.com/en-us/answers/questions/1139341/graph-api-security-get-related-activities-for-a-dl) However I am not sure which option will be feasible in this case. If you have any inputs on this
- Hi KashifKloudy,
I wondered how this was progressing, i am interested in the exact same as you "push MIP DLP related alerts, incidents and data to Splunk SIEM". I wondered how this has progressed since you last posted, could you share what you did, and what has been successful please
Thanks
Brad
