Integrate Microsoft Defender for Identity with Syslog (SIEM)

Microsoft Defender for Identity (MDI) can be easily integrated with your Syslog server. You can be notified of new suspicious activities by sending security and health alerts to your Syslog server.

The following details are required to complete the configuration:

  • FQDN or IP address of the SIEM server
  • Port on which the SIEM server is listening
  • What transport to use: UDP, TCP, or TLS (Secured Syslog)
  • Format in which to send the data RFC 3164 or 5424

To configure the Syslog settings, open the MDI Portal and open the Configuration menu. In this menu, select Notifications and then configure.

Once the settings are configured and saved, you can specify which events to send to your Syslog server:

  • New security alerts
  • Updated security alerts
  • Health issues

Nominated Sensor

You will need to select one of your sensors (Domain Controller) during the initial configuration. This will be your nominated sensor.

MDI is a cloud solution thus you don’t have a server on premise like you would have when using Advanced Threat Analytics for example. The MDI events won’t be sent from Azure to your Syslog server directly. This is the reason for the nominated sensor. The selected sensor will collect the data from the backend (which is in Azure) and send this to your Syslog server.


As you can see it is an easy process to configure Syslog integration from the MDI Portal. Integration allows you to send the MDI alerts to your Syslog server using a single sensor (Domain Controller).

Refer to the links section below for the Microsoft Docs article on Syslog integration and the Microsoft Defender for Identity forum


Setting Syslog settings in Microsoft Defender for Identity | Microsoft Docs

Microsoft Defender for Identity – Microsoft Tech Community