I have tried to integrate MS Defender with Elastic and unable to get the logs to elastic. I have followed the standard guideline given in Elastic documentation. Any one face the same issue ?
Could you describe the steps you've performed to set up to integrate MS Defender with Elastic? It's also important to know your set up. Do you have Elastic Security deployed in Elastic cloud or on-premises? What Kibana version do you use? What integration and what version you've installed? Have you created an agent policy with MS Defender integration configuration? Are you sure that policy has been picked up by agents?
Are any error messages returned? In Kibana > Discover, if you are using the integration with Elastic Agent, select the logs-* data stream and in the search bar, type event.module: "namemodule". Press the W key to list the modules and see if any error messages appear. As an example, I am collecting logs from the Office 365 integration, in the search bar, it would be event.module: "o365".
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.