You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/connect-microsoft-365-defender.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,15 +20,16 @@ The Microsoft Defender XDR connector for Microsoft Sentinel allows you to stream
20
20
21
21
Before you begin, you must have the appropriate licensing, access, and configured resources described in this section.
22
22
23
-
- You must have a valid license for Microsoft Defender XDR, as described in [Microsoft Defender XDR prerequisites](/microsoft-365/security/mtp/prerequisites).
23
+
- You must have a valid license for Microsoft Defender XDR, as described in [Microsoft Defender XDR prerequisites](/microsoft-365/security/mtp/prerequisites).
24
+
- Your user account must be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) or [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) roles on the tenant you want to stream the logs from.
25
+
- You must have read and write permissions on your Microsoft Sentinel workspace.
24
26
- To make any changes to the connector settings, your account must be a member of the same Microsoft Entra tenant with which your Microsoft Sentinel workspace is associated.
25
27
- Install the solution for **Microsoft Defender XDR** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
26
28
- Grant access to Microsoft Sentinel as appropriate for your organization. For more information, see [Roles and permissions in Microsoft Sentinel](roles.md).
27
29
28
30
For on-premises Active Directory sync via Microsoft Defender for Identity:
29
31
30
32
- Your tenant must be onboarded to Microsoft Defender for Identity.
31
-
32
33
- You must have the Microsoft Defender for Identity sensor installed.
33
34
34
35
## Connect to Microsoft Defender XDR
@@ -102,13 +103,13 @@ If you want to collect advanced hunting events from Microsoft Defender for Endpo
102
103
|**[EmailEvents](/microsoft-365/security/defender/advanced-hunting-emailevents-table)**| Microsoft 365 email events, including email delivery and blocking events |
103
104
|**[EmailPostDeliveryEvents](/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table)**| Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox |
104
105
|**[EmailUrlInfo](/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table)**| Information about URLs on emails |
106
+
|**[UrlClickEvents](/defender-xdr/advanced-hunting-urlclickevents-table)**|Events involving URLs clicked, selected, or requested on Microsoft Defender for Office 365|
105
107
106
108
# [Defender for Identity](#tab/MDI)
107
109
108
110
| Table name | Events type |
109
111
|-|-|
110
112
|**[IdentityDirectoryEvents](/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table)**| Various identity-related events, like password changes, password expirations, and user principal name (UPN) changes, captured from an on-premises Active Directory domain controller<br><br>Also includes system events on the domain controller |
111
-
|**[IdentityInfo](/microsoft-365/security/defender/advanced-hunting-identityinfo-table)**| Information about user accounts obtained from various services, including Microsoft Entra ID |
112
113
|**[IdentityLogonEvents](/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table)**| Authentication activities made through your on-premises Active Directory, as captured by Microsoft Defender for Identity <br><br>Authentication activities related to Microsoft online services, as captured by Microsoft Defender for Cloud Apps |
113
114
|**[IdentityQueryEvents](/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table)**| Information about queries performed against Active Directory objects such as users, groups, devices, and domains |
114
115
@@ -122,14 +123,14 @@ If you want to collect advanced hunting events from Microsoft Defender for Endpo
122
123
123
124
| Table name | Events type |
124
125
|-|-|
125
-
|**[AlertInfo](/microsoft-365/security/defender/advanced-hunting-alertinfo-table)**|Information about alerts from Microsoft Defender XDR components |
126
-
|**[AlertEvidence](/microsoft-365/security/defender/advanced-hunting-alertevidence-table)**| Information about various entities - files, IP addresses, URLs, users, devices - associated with alerts from Microsoft Defender XDR components|
126
+
|**[AlertInfo](/microsoft-365/security/defender/advanced-hunting-alertinfo-table)**|Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization|
127
+
|**[AlertEvidence](/microsoft-365/security/defender/advanced-hunting-alertevidence-table)**| Information about various entities - files, IP addresses, URLs, users, devices - associated with alerts from Microsoft Defender XDR components|
127
128
128
129
---
129
130
130
131
1. Select **Apply Changes**.
131
132
132
-
1.To query the advanced hunting tables in Log Analytics, enter the table name in the query window.
133
+
To run a query in the advanced hunting tables in Log Analytics, enter the table name in the query window.
0 commit comments