You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/microsoft-365-defender-sentinel-integration.md
+9-19Lines changed: 9 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,25 +5,12 @@ author: yelevin
5
5
ms.topic: conceptual
6
6
ms.date: 03/23/2022
7
7
ms.author: yelevin
8
-
ms.custom: ignite-fall-2021
8
+
ms.service: microsoft-sentinel
9
9
---
10
10
11
11
# Microsoft 365 Defender integration with Microsoft Sentinel
12
12
13
-
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
14
-
15
-
> [!IMPORTANT]
16
-
> The Microsoft 365 Defender connector is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
17
-
18
-
> [!IMPORTANT]
19
-
>
20
-
> **Microsoft Defender for Cloud Apps** was formerly known as **Microsoft Cloud App Security** or **MCAS**.
21
-
>
22
-
> You may see the old names still in use for a period of time.
23
-
24
-
## Incident integration
25
-
26
-
Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) incident integration allows you to stream all Microsoft 365 Defender incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from Microsoft 365 Defender (formerly known as Microsoft Threat Protection or MTP) include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel, incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of the benefits of both portals in your incident investigation.
13
+
Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) incident integration allows you to stream all Microsoft 365 Defender incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from Microsoft 365 Defender include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel, incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of the benefits of both portals in your incident investigation.
27
14
28
15
This integration gives Microsoft 365 security incidents the visibility to be managed from within Microsoft Sentinel, as part of the primary incident queue across the entire organization, so you can see – and correlate – Microsoft 365 incidents together with those from all of your other cloud and on-premises systems. At the same time, it allows you to take advantage of the unique strengths and capabilities of Microsoft 365 Defender for in-depth investigations and a Microsoft 365-specific experience across the Microsoft 365 ecosystem. Microsoft 365 Defender enriches and groups alerts from multiple Microsoft 365 products, both reducing the size of the SOC’s incident queue and shortening the time to resolve. The component services that are part of the Microsoft 365 Defender stack are:
29
16
@@ -38,7 +25,10 @@ Other services whose alerts are collected by Microsoft 365 Defender include:
38
25
39
26
In addition to collecting alerts from these components and other services, Microsoft 365 Defender generates alerts of its own. It creates incidents from all of these alerts and sends them to Microsoft Sentinel.
40
27
41
-
### Common use cases and scenarios
28
+
> [!IMPORTANT]
29
+
> The Microsoft 365 Defender connector is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
30
+
31
+
## Common use cases and scenarios
42
32
43
33
- One-click connect of Microsoft 365 Defender incidents, including all alerts and entities from Microsoft 365 Defender components, into Microsoft Sentinel.
44
34
@@ -48,7 +38,7 @@ In addition to collecting alerts from these components and other services, Micro
48
38
49
39
- In-context deep link between a Microsoft Sentinel incident and its parallel Microsoft 365 Defender incident, to facilitate investigations across both portals.
50
40
51
-
###Connecting to Microsoft 365 Defender
41
+
## Connecting to Microsoft 365 Defender
52
42
53
43
Once you have enabled the Microsoft 365 Defender data connector to [collect incidents and alerts](connect-microsoft-365-defender.md), Microsoft 365 Defender incidents will appear in the Microsoft Sentinel incidents queue, with **Microsoft 365 Defender** in the **Product name** field, shortly after they are generated in Microsoft 365 Defender.
54
44
- It can take up to 10 minutes from the time an incident is generated in Microsoft 365 Defender to the time it appears in Microsoft Sentinel.
@@ -57,7 +47,7 @@ Once you have enabled the Microsoft 365 Defender data connector to [collect inci
57
47
58
48
Once the Microsoft 365 Defender integration is connected, all the component alert connectors (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps) will be automatically connected in the background if they weren't already. If any component licenses were purchased after Microsoft 365 Defender was connected, the alerts and incidents from the new product will still flow to Microsoft Sentinel with no additional configuration or charge.
59
49
60
-
###Microsoft 365 Defender incidents and Microsoft incident creation rules
50
+
## Microsoft 365 Defender incidents and Microsoft incident creation rules
61
51
62
52
- Incidents generated by Microsoft 365 Defender, based on alerts coming from Microsoft 365 security products, are created using custom Microsoft 365 Defender logic.
63
53
@@ -70,7 +60,7 @@ Once the Microsoft 365 Defender integration is connected, all the component aler
70
60
> [!NOTE]
71
61
> All Microsoft Defender for Cloud Apps alert types are now being onboarded to Microsoft 365 Defender.
72
62
73
-
###Working with Microsoft 365 Defender incidents in Microsoft Sentinel and bi-directional sync
63
+
## Working with Microsoft 365 Defender incidents in Microsoft Sentinel and bi-directional sync
74
64
75
65
Microsoft 365 Defender incidents will appear in the Microsoft Sentinel incidents queue with the product name **Microsoft 365 Defender**, and with similar details and functionality to any other Sentinel incidents. Each incident contains a link back to the parallel incident in the Microsoft 365 Defender portal.
0 commit comments