Merge pull request #218161 from limwainstein/gcc-mapping

Adding cloud support page (GCC)

Author: v-dirichards

articles/sentinel/TOC.yml

@@ -73,6 +73,8 @@
         href: extend-sentinel-across-workspaces-tenants.md
       - name: Security baseline
         href: /security/benchmark/azure/baselines/sentinel-security-baseline?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
+      - name: Support for data types in different clouds
+        href: data-type-cloud-support.md
   - name: Find solutions and content
     items:
     - name: About Sentinel content
@@ -102,7 +104,7 @@
       - name: KQL quick reference
         href: /azure/data-explorer/kql-quick-reference?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
       - name: Other KQL resources
-        href: kusto-resources.md
+        href: kusto-resources.md      
   - name: Normalize data
     items:
     - name: ASIM overview
@@ -557,6 +559,8 @@
       href: windows-security-event-id-reference.md
     - name: DNS over AMA reference
       href: dns-ama-fields.md
+    - name: Microsoft 365 Defender connector data type support
+      href: microsoft-365-defender-cloud-support.md
   - name: Detection and analysis references
     items:
     - name: Top Microsoft Sentinel workbooks

articles/sentinel/data-type-cloud-support.md

@@ -0,0 +1,54 @@
+---
+title: Support for Microsoft Sentinel connector data types in different clouds
+description: This article describes the types of clouds that affect data streaming from the different connectors that Microsoft Sentinel supports.  
+author: limwainstein
+ms.topic: conceptual
+ms.date: 11/14/2022
+ms.author: lwainstein
+---
+
+# Support for data types in Microsoft Sentinel across different clouds
+
+Microsoft Sentinel data connectors use data stored in various cloud environments, like the Microsoft 365 Commercial cloud or the Government Community Cloud (GCC). 
+
+This article describes the types of clouds that affect the supported data types for the different connectors that Microsoft Sentinel supports. Specifically, support varies for different Microsoft 365 Defender connector data types in different GCC environments.  
+
+## Microsoft cloud types
+
+|Name  |Also named|Description |Learn more  |
+|---------|---------|---------|
+|Azure Commercial   |Azure, Azure Public      |The standard Microsoft cloud. Most of the enterprises in the private market, academic institutions and home Office 365 tenants reside in a Commercial environment.<br><br>Different tools help meet the Microsoft 365 Commercial compliance and security needs. For example: Intune, Microsoft Purview compliance portal, Microsoft Purview Information Protection, and more. |[Microsoft 365 integration](../security/fundamentals/feature-availability.md#microsoft-365-integration)    |
+|Government Community Cloud (GCC)  |GCC-M, GCC Moderate  |A government-focused copy of Microsoft 365 Commercial environment. While GCC contains similar features to the Microsoft 365 Commercial environment, GCC is subject to the FedRAMP Moderate policy.     |[Government Community Cloud](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc) |
+|Department of Defense (DoD)     |         |Originally created for internal use by the Department of Defense. DoD is the only environment that meets DoD SRG levels 5 and 6. Other clouds described in this article don't support these SRG levels.         |[GCC High and DoD](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc-high-and-dod) |
+|GCC-High     |GCC High         |Technically, GCC High is a copy of a DoD environment, but GCC High exists in its own sovereign environment.<br><br>GCC High (and above) stores the data in Azure Government, so it is physically segregated from the commercial services. |[GCC High and DoD](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc-high-and-dod) |  
+
+## Microsoft clouds and Microsoft Sentinel 
+
+Microsoft Sentinel is built on Microsoft Azure environments—both commercial and government. Office 365 environments, like GCC, GCC-High and DoD, interface at different levels with Azure environments. 
+
+This diagram shows the hierarchy of the Office 365 and Microsoft Azure clouds and how they relate to each other and to Microsoft Sentinel. 
+
+:::image type="content" source="./media/data-type-cloud-support/cloud-architecture-microsoft-sentinel.png" alt-text="Diagram showing how the Microsoft cloud architecture relates to Microsoft Sentinel data." border="false" lightbox="./media/data-type-cloud-support/cloud-architecture-microsoft-sentinel.png":::
+
+Because of this complexity, different types of data streaming into Microsoft Sentinel may or may not be fully supported.
+
+## How cloud support affects data from Microsoft 365 Defender connectors
+
+Your environment ingests data from multiple connectors. The type of cloud you use affects Microsoft Sentinel's ability to ingest and display data from these connectors, like logs, alerts, device events, and more.
+
+We have identified support discrepancies between the different clouds for the data streaming from these connectors:
+
+- Microsoft Defender for Endpoint
+- Microsoft Defender for Office 365
+- Microsoft Defender for Identity
+- Microsoft Defender for Cloud Apps
+- Azure Active Directory Identity Protection
+
+Read more about [support for Microsoft Defender 365 connector data types in different clouds](microsoft-365-defender-cloud-support.md).
+
+## Next steps
+
+In this article, you learned about the types of clouds that affect the supported data types for the different connectors that Microsoft Sentinel supports.
+
+- To get started with Microsoft Sentinel, you need a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a [free trial](https://azure.microsoft.com/free/).
+- Learn how to [onboard your data to Microsoft Sentinel](quickstart-onboard.md) and [get visibility into your data and potential threats](get-visibility.md).

articles/sentinel/media/data-type-cloud-support/cloud-architecture-microsoft-sentinel.png

@@ -0,0 +1,76 @@
+---
+title: Support for Microsoft 365 Defender connector data types in Microsoft Sentinel for different clouds (GCC environments)
+description: This article describes support for different Microsoft 365 Defender connector data types in Microsoft Sentinel across different clouds, including Commercial, GCC, GCC-High, and DoD.
+author: limwainstein
+ms.topic: reference
+ms.date: 11/14/2022
+ms.author: lwainstein
+---
+
+# Support for Microsoft 365 Defender connector data types in different clouds
+
+The type of cloud your environment uses affects Microsoft Sentinel's ability to ingest and display data from these connectors, like logs, alerts, device events, and more. This article describes support for different Microsoft 365 Defender connector data types in Microsoft Sentinel across different clouds, including Commercial, GCC, GCC-High, and DoD.
+
+Read more about [data type support for different clouds in Microsoft Sentinel](data-type-cloud-support.md).
+
+## Microsoft Defender for Endpoint
+
+|Data type  |Commercial  |GCC  |GCC-High |DoD |
+|---------|---------|---------|---------|---------|
+|DeviceInfo     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceNetworkInfo     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceProcessEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</ul></li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceNetworkEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |
+|DeviceFileEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceRegistryEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceLogonEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceImageLoadEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceEvents     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+|DeviceFileCertificateInfo     |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul>         |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |
+
+## Microsoft Defender for Identity
+
+|Data type  |Commercial  |GCC  |GCC-High |DoD |
+|---------|---------|---------|---------|---------|
+|IdentityDirectoryEvents |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |Unsupported |Unsupported |Unsupported |
+IdentityLogonEvents|<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |Unsupported |Unsupported |Unsupported |
+IdentityQueryEvents|<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li> |Unsupported |Unsupported |Unsupported |
+
+## Microsoft Defender for Cloud Apps
+
+|Data type  |Commercial  |GCC  |GCC-High |DoD |
+|---------|---------|---------|---------|---------|
+|CloudAppEvents |<ul><li>Microsoft 365 Defender: GA</li><li>Microsoft Sentinel: Public Preview</li></ul> |Unsupported |Unsupported |Unsupported |
+
+## Microsoft 365 Defender incidents
+
+|Data type  |Commercial  |GCC  |GCC-High |DoD |
+|---------|---------|---------|---------|---------|
+|SecurityIncident |Microsoft Sentinel: Public Preview |Microsoft Sentinel: Public Preview |Microsoft Sentinel: Public Preview |Microsoft Sentinel: Public Preview |
+
+## Alerts
+
+|Connector/Data type  |Commercial  |GCC  |GCC-High |DoD |
+|---------|---------|---------|---------|---------|
+|Microsoft 365 Defender Alerts: SecurityAlert |Public Preview |Public Preview |Public Preview |Public Preview |
+|Microsoft Defender for Endpoint Alerts (standalone connector): SecurityAlert (MDATP) |Public Preview |Public Preview |Public Preview |Public Preview |
+| Microsoft Defender for Office 365 Alerts (standalone connector):	SecurityAlert (OATP) |Public Preview |Public Preview |Public Preview |Public Preview |
+Microsoft Defender for Identity Alerts (standalone connector):	SecurityAlert (AATP) |Public Preview |Unsupported |Unsupported |Unsupported |
+Microsoft Defender for Cloud Apps Alerts (standalone connector): 	SecurityAlert (MCAS), |Public Preview |Unsupported |Unsupported |Unsupported |
+|Microsoft Defender for Cloud Apps Alerts (standalone connector):	McasShadowItReporting |Public Preview |Unsupported |Unsupported |Unsupported |
+
+## Azure Active Directory Identity Protection
+
+|Data type  |Commercial  |GCC  |GCC-High |DoD |
+|---------|---------|---------|---------|---------|
+|SecurityAlert (IPC) |Public Preview/GA |Supported |Supported |Supported |
+|AlertEvidence |Public Preview |Unsupported |Unsupported |Unsupported |
+
+## Next steps
+
+In this article, you learned which Microsoft 365 Defender connector data types are supported in Microsoft Sentinel for different cloud environments.
+
+- Read more about [GCC environments in Microsoft Sentinel](data-type-cloud-support.md).
+- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
+- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
+- [Use workbooks](monitor-your-data.md) to monitor your data.