Integrate with Syslog
The experience described in this page can also be accessed at https://security.microsoft.com as part of Microsoft 365 Defender. The supporting documents for the new experience can be found here. For more information about Microsoft Defender for Identity and when other features will be available in Microsoft 365 Defender, see Microsoft Defender for Identity in Microsoft 365 Defender.
Microsoft Defender for Identity can notify you when it detects suspicious activities by sending security and health alerts to your Syslog server through a nominated sensor.
Once you enable Syslog notifications, you can set the following:
|sensor||Select a designated sensor to be responsible for aggregating all the Syslog events and forwarding them to your SIEM server.|
|Service endpoint||IP address or DNS name of the Syslog server and optionally change the port number (default 514).
You can configure only one Syslog endpoint.
|Transport||Can be UDP, TCP, or TLS (Secured Syslog)|
|Format||This is the format that Defender for Identity uses to send events to the SIEM server - either RFC 5424 or RFC 3164.|
Before configuring Syslog notifications, work with your SIEM admin to find out the following information:
- FQDN or IP address of the SIEM server
- Port on which the SIEM server is listening
- What transport to use: UDP, TCP, or TLS (Secured Syslog)
- Format in which to send the data RFC 3164 or 5424
Open the Defender for Identity portal.
From the Notifications and Reports submenu, select Notifications.
From the Syslog Service option, click Configure.
Select the Sensor.
Enter the Service endpoint URL.
Select the Transport protocol (TCP or UDP).
Select the format (RFC 3164 or RFC 5424).
Select Send test Syslog message and then verify the message is received in your Syslog infrastructure solution.
To review or modify your Syslog settings.
Click Notifications, and then, under Syslog notifications click Configure and enter the following information:
You can select which events to send to your Syslog server. Under Syslog notifications, specify which notifications should be sent to your Syslog server - new security alerts, updated security alerts, and new health issues.
If you plan to create automation or scripts for Defender for Identity SIEM logs, we recommend using the externalId field to identify the alert type instead of using the alert name for this purpose. Alert names may occasionally be modified, while the externalId of each alert is permanent. For more information, see Defender for Identity SIEM log reference.