You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/connect-microsoft-365-defender.md
+10-4Lines changed: 10 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,9 +51,14 @@ These are explained in greater detail below. See [Microsoft 365 Defender integra
51
51
52
52
### Connect incidents and alerts
53
53
54
-
Select the **Connect incidents & alerts** button to connect Microsoft 365 Defender incidents to your Microsoft Sentinel incidents queue.
54
+
To ingest and synchronize Microsoft 365 Defender incidents, with all their alerts, to your Microsoft Sentinel incidents queue:
55
+
56
+
1. Mark the check box labeled **Turn off all Microsoft incident creation rules for these products. Recommended**, to avoid duplication of incidents.
57
+
58
+
(This check box will not appear once the Microsoft 365 Defender connector is connected.)
59
+
60
+
1. Select the **Connect incidents & alerts** button.
55
61
56
-
If you see a check box labeled **Turn off all Microsoft incident creation rules for these products. Recommended**, mark it to avoid duplication of incidents.
57
62
58
63
> [!NOTE]
59
64
> When you enable the Microsoft 365 Defender connector, all of the Microsoft 365 Defender components’ connectors (the ones mentioned at the beginning of this article) are automatically connected in the background. In order to disconnect one of the components’ connectors, you must first disconnect the Microsoft 365 Defender connector.
@@ -65,7 +70,7 @@ SecurityIncident
65
70
| where ProviderName == "Microsoft 365 Defender"
66
71
```
67
72
68
-
### Connect entities
73
+
### Connect entities from on-premises Active Directory
69
74
70
75
Use Microsoft Defender for Identity to sync user entities from your on-premises Active Directory to Microsoft Sentinel.
71
76
@@ -79,7 +84,7 @@ Verify that you've satisfied the [prerequisites](#prerequisites-for-active-direc
79
84
80
85
:::image type="content" source="media/connect-microsoft-365-defender/ueba-configuration-page.png" alt-text="Screenshot of UEBA configuration page for connecting user entities to Sentinel.":::
81
86
82
-
### Connect events
87
+
### Connect raw events from Microsoft 365 Defender components
83
88
84
89
1. If you want to collect advanced hunting events from Microsoft Defender for Endpoint or Microsoft Defender for Office 365, the following types of events can be collected from their corresponding advanced hunting tables.
85
90
@@ -182,3 +187,4 @@ In this document, you learned how to integrate Microsoft 365 Defender incidents,
182
187
183
188
- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
184
189
- Get started [detecting threats with Microsoft Sentinel](./detect-threats-built-in.md).
0 commit comments