Microsoft Sentinel's Microsoft 365 Defender connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel and keeps the incidents synchronized between both portals. Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group and are enriched by alerts from Microsoft 365 Defender's component services, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps, as well as alerts from other services such as Microsoft Purview Data Loss Prevention (DLP) and Azure Active Directory Identity Protection (AADIP).
The connector also lets you stream advanced hunting events from all of the above Defender components into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components' raw event data to provide additional insights and store the logs with increased retention in Log Analytics.
Prerequisites
You must have a valid license for Microsoft 365 Defender, as described in Microsoft 365 Defender prerequisites.
Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.
Your user must have read and write permissions on your Microsoft Sentinel workspace.
Prerequisites for Active Directory sync via MDI
Your tenant must be onboarded to Microsoft Defender for Identity.
You must have the MDI sensor installed.
Connect to Microsoft 365 Defender
In Microsoft Sentinel, select Data Connectors, select Microsoft 365 Defender (Preview) from the gallery and select the Open Connector page.
The Configuration section has three parts:
Connect incidents and alerts enable the basic integration between Microsoft 365 Defender and Microsoft Sentinel, synchronizing incidents and their alerts between the two platforms.
Connect entities enable the integration of on-premises Active Directory user identities into Microsoft Sentinel through Microsoft Defender for Identity.
Connect events enable the collection of raw advanced hunting events from Defender components.
Connect incidents and alerts
Select the Connect Incidents & alerts button to connect Microsoft 365 Defender incidents to your Microsoft Sentinel incidents queue.
If you see a check box labelled Turn off all Microsoft incident creation rules for these products. Recommended to mark it to avoid duplication of incidents.
To query Microsoft 365 Defender incident data, use the following statement in the query window:
SecurityIncident where ProviderName == "Microsoft 365 Defender"
Connect entities
Use Microsoft Defender for Identity to sync user entities from your on-premises Active Directory to Microsoft Sentinel.
Verify that you've satisfied the prerequisites for syncing on-premises Active Directory users through Microsoft Defender for Identity (MDI).
Select the Go the UEBA configuration page link.
In the Entity behaviour configuration page, if you haven't yet enabled UEBA, then at the top of the page, move the toggle to On.
Mark the Active Directory (Preview) check box and select Apply.
Defender Event Types
Defender for Endpoint Event Types
Table name | Events type |
Machine information, including OS information | |
Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains | |
Process creation and related events | |
Network connection and related events | |
File creation, modification, and other file system events | |
Creation and modification of registry entries | |
Sign-ins and other authentication events on devices | |
DLL loading events | |
Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | |
Certificate information of signed files obtained from certificate verification events on endpoints |
Defender for O365 Event Types
Table name | Events type |
Information about files attached to emails | |
Microsoft 365 email events, including email delivery and blocking events | |
Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox | |
Information about URLs in emails |
Defender for Identity Event Types
Table name | Events type |
Various identity-related events, like password changes, password expirations, and user principal name (UPN) changes, captured from an on-premises Active Directory domain controller Also includes system events on the domain controller | |
Information about user accounts obtained from various services, including Azure Active Directory | |
Authentication activities made through your on-premises Active Directory, as captured by Microsoft Defender for Identity Authentication activities related to Microsoft online services, as captured by Microsoft Defender for Cloud Apps | |
Information about queries performed against Active Directory objects such as users, groups, devices, and domains. |
Defender for Cloud Apps Event Type
Table name | Events type |
Information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps |
Defender Alerts
Table name | Events type |
Information about alerts from Microsoft 365 Defender components | |
Information about various entities - files, IP addresses, URLs, users, devices - associated with alerts from Microsoft 365 Defender components |
Verify data ingestion
The data graph on the connector page indicates that you are ingesting data. You'll notice that it shows one line each for incidents, alerts, and events, and the events line is an aggregation of event volume across all enabled tables. Once you have enabled the connector, you can use the following KQL queries to generate more specific graphs.
Use the following KQL query for a graph of the incoming Microsoft 365 Defender incidents:
let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart
Use the following KQL query to generate a graph of event volume for a single table (change the DeviceEvents table to the required table of your choosing):
let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
DeviceEvents
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart
In the Next Steps tab, you’ll find some useful workbooks, sample queries, and analytics rule templates that have been included. You can run them on the spot or modify and save them.
Comments