MS Purview Integration with MS Sentinel

Shubham1809 

1) What difference in MS purview alert going to sentinel via MS 365 defender, vs alerts going directly to Sentinel? 

When alerts from Purview go to Sentinel via MS 365 Defender, incidents, schema, and alerts can be shared between Microsoft Sentinel and Microsoft 365 Defender. On the other hand, when alerts go directly from Purview to Sentinel, you can view the alerts about possible data loss in the same view as the Microsoft 365 Defender incident queue, which allows you to refine the incident scope, without the need to switch screens. https://learn.microsoft.com/en-us/azure/sentinel/purview-solution 

Also is there anyway to stop alerts from Purview going into MS 365 defender temporarily?

- Haven't tried this one. What's the use case for halting this temporarily?

2) What is the best way to Integrate MS purview with sentinel?
option 1: Purview> MS 365>MS sentinel 

option 2: Purview> MS sentinel 

please describe what are differences  we could see in alerts and logs.

Both options (Purview> MS 365>MS Sentinel and Purview> MS Sentinel) have their advantages. The first option provides a unified way to manage risk under a single umbrella, with shared incidents, schema, and alerts between Microsoft Sentinel and Microsoft 365 Defender. The second option allows you to view the alerts about possible data loss in the same view as the Microsoft 365 Defender incident queue, which allows you to refine the incident scope, without the need to switch screens.

3) What kind of logs are sent to sentinel from MS purview?

The kind of logs sent to Sentinel from MS Purview include data sensitivity logs, which flow into Microsoft Sentinel after a full scan is run, or when a change is detected during a scan. This one is a good read: https://alberthoitingh.com/2022/05/20/different-types-of-logging-microsoft-purview-audit/