Blumira can integrate with Defender for Identity to receive alert notifications generated. Follow the instructions below to get your Defender for Identity logs forwarding to Blumira for threat detection and reporting.
To forward logs from Defender for Identity use the following steps:
- Log in to https://portal.atp.azure.com/.
- Click the gear icon.
- Click Settings.
- From the Notifications and Reports submenu, select Notifications.
- From the Syslog Service option, click Configure.
- Select the Sensor from the dropdown.
- Enter the Blumira Sensor IP address.
- Select the Transport protocol (TCP or UDP).
- Select the format of RFC 5424.
- Select Send test Syslog message and then verify the message is received in your Syslog infrastructure solution.
- Click Save.
Note: Within 20 minutes you will see the new data source of ‘Azure ATP’ show up in the report builder when the test message is processed. This is the data source you’ll use to query your Defender for Identity logs.
- See Integrate with Syslog for syslog configuration information.
See Microsoft Defender for Identity SIEM log reference for details regarding log format and alert examples.