Deployment Architecture

How can we ingest MDI logs to Splunk?

RishavAnand
New Member

How can we ingest MDI logs to Splunk?

Labels (1)
0 Karma

dsctm3
Path Finder

If you are trying to find the alerts coming from Microsoft Defender for Identity, you can gather the alerts via the MS Graph Plugin found here:

https://splunkbase.splunk.com/app/4564#Configuring-Microsoft-Graph-Security-data-inputs

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What are MDI logs?

Where are they stored?

Do you have Splunk forwarders on there too?

There are a lot of unanswered questions about your environment and the potential ways that data can be ingested into Splunk. Have you ingested other data sources?

Can you modify these to include the MDI logs?

0 Karma

RishavAnand
New Member

"Splunk forwarders" are installed on the servers where MDI sensor is installed. 

So far, no ingestion has been done.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, you need to configure the inputs for the forwarders so that they know where to look for the MDI logs

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Admin/IntroGDI

 

0 Karma

RishavAnand
New Member

MDI logs are generated on security.microsoft.com portal and are not present locally on the servers where Splunk forwarders and MDI sensor are installed. There is a possibility with Sentinel [ https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration ] but we want to do this to Splunk. 

We might not be able to install anything on the portal. Do we have a set of documentation available as to how to send the MDI logs from security.microsoft.com portal to Splunk ?

0 Karma

jconger
Splunk Employee
Splunk Employee

To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207

All the Microsft Defender XDR incidents, alerts, entities, evidence, etc. are collected by this add-on.

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...