search
WebsiteBlogLogin

Collect data from Microsoft Defender for Identity

circle-info

See the changelog of the HTTP Listener here.

hashtag
Overview

The following article outlines a basic data flow from Microsoft Defender for Identityarrow-up-right to the Onum HTTP Listener.

hashtag
Prerequisites

  • Administrative access to the Microsoft 365 Defender portal

Contact Onum to get the required JWT token, which will be needed on the Listener setup.

You can also contact us if you cannot generate the required TLS certificates. Note that these certificates must be signed by a recognized Certificate Authority (CA). Self-signed certificates are not accepted.

hashtag
Defender for Identity Setup

Microsoft Defender for Identity (MDI) can be configured to send logs to HTTP endpoints through SIEM integration. Here's how to set it up:

  1. Access the Microsoft 365 Defender portalarrow-up-right

  2. Go to Settings > Endpoints > Advanced features

    • In the SIEM Integration section, enable SIEM integration.

  3. Set up the HTTP endpoint

    • Select Add SIEM connector

    • Choose Generic HTTP endpoint as the connector type

    • Enter your Onum ingestion URL (typically in format: https://[your-onum-tenant].onum.ai/api/ingest )

    • Configure the authentication method you will use to authenticate the connection in the Listener. In this case, we will exemplify the bearer method.

    • Specify the log format (JSON is recommended)

  4. Configure log types

    • Select which MDI log types to forward (alerts, security events, etc.)

    • Set filtering options if needed

hashtag
Onum Setup

1

Log in to your Onum tenant and click Listeners > New listener.

2

Double-click the HTTP Listener.

3

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

4

In the Socket section, enter the required Port 443 (standard HTTPS).

5

In the TLS configuration section, enter the required certificates (Certificate, Private key and CA chain).

circle-exclamation

Certificates must be signed by a recognized Certificate Authority (CA). Self-signed certificates are not accepted.

6

Choose No client certificate in the Client authentication method field.

7

In the Authentication section, choose Bearer as the Authentication Type. Open the Token Secret field and click New secret to create a new one:

  • Give the token a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the JWT token you received. Remember that the token will be added in the Zscaler configuration.

  • Click Save.

circle-info

Learn more about secrets in Onum in this article.

8

You can now select the secret you just created in the Token Secret field.

9

In the Endpoint section, choose POST as the HTTP Method. In the Request path field, you're creating an endpoint where MDI will send data.

hashtag
Standard Formats

10

In the Message extraction section, choose Single event as body (full) in the Strategy field. You can leave the Extraction info field empty.

11

In the General behavior section, set Propagate headers strategy to Allow.

12

Configure the rest of settings as required.

13

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

circle-info

Learn more about labels in this article.

Click Create listener when you're done.

PreviousCollect data from Microsoft Defender for Cloud AppsNextCollect data from Zscaler

Last updated

Was this helpful?