![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 33%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Azure Internet of Things
A category of Azure services for internet of things devices.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Hello Rushikesh Kulkarni,
Thanks for reaching out, understand the scenario you’re trying to achieve here.
It sounds like you’re expecting Event Timeline entries (investigation-level events) to be forwarded via Syslog, but in Microsoft Defender for IoT this is not how forwarding is designed to work.
Why Event Timeline data is not forwarded
Syslog forwarding rules (even with Minimum Alert Level = Warning) only apply to:
- Security alerts
- Operational alerts
Event Timeline entries:
- Are part of the investigation view
- Represent raw / contextual activity data
- Are not classified as alerts
Because of this, timeline entries are not picked up by Syslog forwarding rules, regardless of severity settings.
Current behavior
Syslog forwarding in Defender for IoT is alert-driven, not event-stream driven That’s why timeline data is not being sent to your Syslog server.
Options for accessing Event Timeline data
If you need deeper visibility beyond alerts, here are the recommended approaches:
1. Export Event Timeline to CSV
Use the Export option from the Event Timeline page in the sensor console
You can export filtered or full datasets for analysis
Please refer this https://learn.microsoft.com/azure/defender-for-iot/organizations/how-to-track-sensor-activity#export-the-event-timeline-to-csv
2. Use Defender for IoT APIs
You can programmatically retrieve event timeline data
Useful for Custom reporting
Building your own forwarding logic
Integrating with external systems
3. Integrate with SIEM
Forward alerts and related data into a SIEM like Microsoft Sentinel
Build Analytics rules, Workbooks, Playbooks
While timeline data itself isn’t directly forwarded, you can correlate alerts with additional context
Please refer this
- https://learn.microsoft.com/azure/defender-for-iot/organizations/how-to-forward-alert-information-to-partners
- https://learn.microsoft.com/azure/defender-for-iot/organizations/integrations/send-cloud-data-to-partners
Your configuration is correct this behavior is by design. However, for use cases like real-time monitoring or deeper investigation pipelines, this does highlight a gap in native forwarding capabilities.
I Hope this helps. Do let me know if you have any further queries.
If this answers your query, please do click Accept Answer and Yes for was this answer helpful.
Thank you!
