Merge pull request #225852 from yelevin/yelevin/m365d-connector-ga

Microsoft 365 Defender integration to GA

Author: American-Dipper

articles/sentinel/connect-microsoft-365-defender.md

@@ -2,10 +2,9 @@
 title: Connect Microsoft 365 Defender data to Microsoft Sentinel| Microsoft Docs
 description: Learn how to ingest incidents, alerts, and raw event data from Microsoft 365 Defender into Microsoft Sentinel.
 author: yelevin
-ms.topic: conceptual
-ms.date: 03/23/2022
 ms.author: yelevin
-ms.service: microsoft-sentinel
+ms.topic: conceptual
+ms.date: 02/01/2023
 ---
 
 # Connect data from Microsoft 365 Defender to Microsoft Sentinel
@@ -20,7 +19,7 @@ For more information about incident integration and advanced hunting event colle
 
 > [!IMPORTANT]
 >
-> The Microsoft 365 Defender connector is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The Microsoft 365 Defender connector is now generally available!
 
 ## Prerequisites
 
@@ -30,6 +29,8 @@ For more information about incident integration and advanced hunting event colle
 
 - Your user must have read and write permissions on your Microsoft Sentinel workspace.
 
+- To make any changes to the connector settings, your user must be a member of the same Azure Active Directory tenant with which your Microsoft Sentinel workspace is associated.
+
 ### Prerequisites for Active Directory sync via MDI
 
 - Your tenant must be onboarded to Microsoft Defender for Identity.
@@ -38,7 +39,7 @@ For more information about incident integration and advanced hunting event colle
 
 ## Connect to Microsoft 365 Defender
 
-In Microsoft Sentinel, select **Data connectors**, select **Microsoft 365 Defender (Preview)** from the gallery and select **Open connector page**.
+In Microsoft Sentinel, select **Data connectors**, select **Microsoft 365 Defender** from the gallery and select **Open connector page**.
 
 The  **Configuration** section has three parts:
 

articles/sentinel/microsoft-365-defender-cloud-support.md

@@ -2,9 +2,9 @@
 title: Support for Microsoft 365 Defender connector data types in Microsoft Sentinel for different clouds (GCC environments)
 description: This article describes support for different Microsoft 365 Defender connector data types in Microsoft Sentinel across different clouds, including Commercial, GCC, GCC-High, and DoD.
 author: limwainstein
-ms.topic: reference
-ms.date: 11/14/2022
 ms.author: lwainstein
+ms.topic: reference
+ms.date: 02/01/2023
 ---
 
 # Support for Microsoft 365 Defender connector data types in different clouds
@@ -13,64 +13,88 @@ The type of cloud your environment uses affects Microsoft Sentinel's ability to
 
 Read more about [data type support for different clouds in Microsoft Sentinel](data-type-cloud-support.md).
 
-## Microsoft Defender for Endpoint
+## Connector data
+
+### Incidents
+
+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |
+| ----------------- | ------------------- | -------------- |
+| **Incidents** | Generally available | Generally available |
+
+### Alerts
+
+#### From Microsoft 365 Defender
+
+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |
+| ----------------- | ------------------- | -------------- |
+| **Microsoft 365 Defender alerts: *SecurityAlert*** | Generally available | Public preview |
+
+#### From standalone component connectors
+
+| Data type         | Commercial | GCC | GCC-High / DoD            |
+| ----------------- | ---------- | --- | ------------------------- |
+| **Microsoft Defender for Endpoint: *SecurityAlert (MDATP)*** | Generally available | Generally available | Generally available |
+| **Microsoft Defender for Office 365: *SecurityAlert (OATP)*** | Public preview | Public preview | Public preview |
+| **Microsoft Defender for Identity: *SecurityAlert (AATP)*** | Generally available | Unsupported | Unsupported |
+| **Microsoft Defender for Cloud Apps: *SecurityAlert (MCAS)*** | Generally available | Generally available | Unsupported |
+| **Microsoft Defender for Cloud Apps: *McasShadowItReporting*** | Generally available | Generally available | Unsupported |
+
+## Raw event data
+
+### Microsoft Defender for Endpoint
 
-|Data type  |Commercial  |GCC  |GCC-High |DoD |
-|---------|---------|---------|---------|---------|
-|DeviceInfo     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceNetworkInfo     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceProcessEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</ul></li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceNetworkEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |
-|DeviceFileEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceRegistryEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceLogonEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceImageLoadEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
-|DeviceFileCertificateInfo     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |
+| --------- | ---------------- | -------------- |
+| **DeviceInfo** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceNetworkInfo** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceProcessEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceNetworkEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceFileEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceRegistryEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceLogonEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceImageLoadEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
+| **DeviceFileCertificateInfo** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |
 
-## Microsoft Defender for Identity
+### Microsoft Defender for Identity
 
-|Data type  |Commercial  |GCC  |GCC-High |DoD |
-|---------|---------|---------|---------|---------|
-|IdentityDirectoryEvents |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |Unsupported |Unsupported |Unsupported |
-IdentityLogonEvents|<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |Unsupported |Unsupported |Unsupported |
-IdentityQueryEvents|<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |Unsupported |Unsupported |Unsupported |
+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |
+| --------------------------- | ------------------- | ----------- |
+| **IdentityDirectoryEvents** | Generally available | Unsupported |
+| **IdentityLogonEvents**     | Generally available | Unsupported |
+| **IdentityQueryEvents**     | Generally available | Unsupported |
 
-## Microsoft Defender for Cloud Apps
+### Microsoft Defender for Cloud Apps
 
-|Data type  |Commercial  |GCC  |GCC-High |DoD |
-|---------|---------|---------|---------|---------|
-|CloudAppEvents |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |Unsupported |Unsupported |Unsupported |
+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |
+| ------------------ | ------------------- | ----------- |
+| **CloudAppEvents** | Generally available | Unsupported |
 
-## Microsoft 365 Defender incidents
+### Microsoft Defender for Office 365
 
-|Data type  |Commercial  |GCC  |GCC-High |DoD |
-|---------|---------|---------|---------|---------|
-|SecurityIncident |Microsoft Sentinel: Public Preview |Microsoft Sentinel: Public Preview |Microsoft Sentinel: Public Preview |Microsoft Sentinel: Public Preview |
+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |
+| --------------------------- | ------------------- | -------------- |
+| **EmailEvents**             | Generally available | Public preview |
+| **EmailAttachmentInfo**     | Generally available | Public preview |
+| **EmailUrlInfo**            | Generally available | Public preview |
+| **EmailPostDeliveryEvents** | Generally available | Public preview |
+| **UrlClickEvents**          | Generally available | Public preview |
 
-## Alerts
+### Alerts
 
-|Connector/Data type  |Commercial  |GCC  |GCC-High |DoD |
-|---------|---------|---------|---------|---------|
-|Microsoft 365 Defender Alerts: SecurityAlert |Public Preview |Public Preview |Public Preview |Public Preview |
-|Microsoft Defender for Endpoint Alerts (standalone connector): SecurityAlert (MDATP) |Public Preview |Public Preview |Public Preview |Public Preview |
-| Microsoft Defender for Office 365 Alerts (standalone connector):	SecurityAlert (OATP) |Public Preview |Public Preview |Public Preview |Public Preview |
-Microsoft Defender for Identity Alerts (standalone connector):	SecurityAlert (AATP) |Public Preview |Unsupported |Unsupported |Unsupported |
-Microsoft Defender for Cloud Apps Alerts (standalone connector): 	SecurityAlert (MCAS), |Public Preview |Unsupported |Unsupported |Unsupported |
-|Microsoft Defender for Cloud Apps Alerts (standalone connector):	McasShadowItReporting |Public Preview |Unsupported |Unsupported |Unsupported |
+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |
+| ----------------- | ------------------- | -------------- |
+| **AlertInfo**     | Generally available | Public preview |
+| **AlertEvidence** | Generally available | Public preview |
 
-## Azure Active Directory Identity Protection
 
-|Data type  |Commercial  |GCC  |GCC-High |DoD |
-|---------|---------|---------|---------|---------|
-|SecurityAlert (IPC) |Public Preview/GA |Supported |Supported |Supported |
-|AlertEvidence |Public Preview |Unsupported |Unsupported |Unsupported |
 
 ## Next steps
 
 In this article, you learned which Microsoft 365 Defender connector data types are supported in Microsoft Sentinel for different cloud environments.
 
 - Read more about [GCC environments in Microsoft Sentinel](data-type-cloud-support.md).
-- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
+- Learn about [Microsoft 365 Defender integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md).
+- Learn how to [get visibility into your data and potential threats](get-visibility.md).
 - Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
 - [Use workbooks](monitor-your-data.md) to monitor your data.

articles/sentinel/microsoft-365-defender-sentinel-integration.md

@@ -2,10 +2,9 @@
 title: Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Docs
 description: Learn how using Microsoft 365 Defender together with Microsoft Sentinel lets you use Microsoft Sentinel as your universal incidents queue while seamlessly applying Microsoft 365 Defender's strengths to help investigate Microsoft 365 security incidents. Also, learn how to ingest Defender components' advanced hunting data into Microsoft Sentinel.
 author: yelevin
-ms.topic: conceptual
-ms.date: 03/23/2022
 ms.author: yelevin
-ms.service: microsoft-sentinel
+ms.topic: conceptual
+ms.date: 02/01/2023
 ---
 
 # Microsoft 365 Defender integration with Microsoft Sentinel
@@ -14,10 +13,10 @@ Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/micros
 
 This integration gives Microsoft 365 security incidents the visibility to be managed from within Microsoft Sentinel, as part of the primary incident queue across the entire organization, so you can see – and correlate – Microsoft 365 incidents together with those from all of your other cloud and on-premises systems. At the same time, it allows you to take advantage of the unique strengths and capabilities of Microsoft 365 Defender for in-depth investigations and a Microsoft 365-specific experience across the Microsoft 365 ecosystem. Microsoft 365 Defender enriches and groups alerts from multiple Microsoft 365 products, both reducing the size of the SOC’s incident queue and shortening the time to resolve. The component services that are part of the Microsoft 365 Defender stack are:
 
-- **Microsoft Defender for Endpoint** (formerly Microsoft Defender ATP)
-- **Microsoft Defender for Identity** (formerly Azure ATP)
-- **Microsoft Defender for Office 365** (formerly Office 365 ATP)
-- **Microsoft Defender for Cloud Apps** (formerly Microsoft Cloud App Security)
+- **Microsoft Defender for Endpoint (MDE)**
+- **Microsoft Defender for Identity (MDI)**
+- **Microsoft Defender for Office 365 (MDO)**
+- **Microsoft Defender for Cloud Apps (MDA)**
 
 Other services whose alerts are collected by Microsoft 365 Defender include:
 
@@ -27,7 +26,7 @@ Other services whose alerts are collected by Microsoft 365 Defender include:
 In addition to collecting alerts from these components and other services, Microsoft 365 Defender generates alerts of its own. It creates incidents from all of these alerts and sends them to Microsoft Sentinel.
 
 > [!IMPORTANT]
-> The Microsoft 365 Defender connector is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The Microsoft 365 Defender connector is now generally available!
 
 ## Common use cases and scenarios
 
@@ -58,9 +57,6 @@ Once the Microsoft 365 Defender integration is connected, the connectors for all
 
 - To avoid creating duplicate incidents for the same alerts, we recommend that customers turn off all **Microsoft incident creation rules** for Microsoft 365 Defender-integrated products (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Azure Active Directory Identity Protection) when connecting Microsoft 365 Defender. This can be done by disabling incident creation in the connector page. Keep in mind that if you do this, any filters that were applied by the incident creation rules will not be applied to Microsoft 365 Defender incident integration.
 
-    > [!NOTE]
-    > All Microsoft Defender for Cloud Apps alert types are now being onboarded to Microsoft 365 Defender.
-
 ## Working with Microsoft 365 Defender incidents in Microsoft Sentinel and bi-directional sync
 
 Microsoft 365 Defender incidents will appear in the Microsoft Sentinel incidents queue with the product name **Microsoft 365 Defender**, and with similar details and functionality to any other Sentinel incidents. Each incident contains a link back to the parallel incident in the Microsoft 365 Defender portal.
@@ -89,4 +85,5 @@ The Microsoft 365 Defender connector also lets you stream **advanced hunting** e
 In this document, you learned how to benefit from using Microsoft 365 Defender together with Microsoft Sentinel, using the Microsoft 365 Defender connector.
 
 - Get instructions for [enabling the Microsoft 365 Defender connector](connect-microsoft-365-defender.md).
-- Create [custom alerts](detect-threats-custom.md) and [investigate incidents](investigate-cases.md).
+- Check [availability of different Microsoft 365 Defender data types](microsoft-365-defender-cloud-support.md) in the different Microsoft 365 and Azure clouds.
+- Create [custom alerts](detect-threats-custom.md) and [investigate incidents](investigate-incidents.md).