Find who activated and unified Microsoft Sentinel to Microsoft Defender XDR and when ?

Rosine_LEROY Hi, you can use or Azure Activity Logs

Azure Activity Logs capture all control-plane events within your Azure subscription, including changes made to resources like Microsoft Sentinel and Defender XDR.

1-Sign in to the Azure Portal:

2-Go to https://portal.azure.com.

Navigate to Activity Logs:

Click on Monitor in the left-hand menu.
Select Activity Log under the Monitoring section.
Filter the Activity Logs:

Time Range: Set the time range to cover the period when the unification might have occurred.
Subscription: Ensure the correct subscription is selected.
Event Categories: Choose Administrative.
Resource Type: Select Microsoft.SecurityInsights/Workspaces or Microsoft.OperationalInsights/Workspaces.
Operation Name: Look for operations like "Create or Update Microsoft Sentinel" or "Microsoft.SecurityInsights/onboardToSentinel/Action".
Identify the Action:

Look for entries that indicate the activation or unification of Sentinel and Defender XDR.
Caller: The Initiated By or Caller field will display who performed the action.
Timestamp: The Event Timestamp shows when the action occurred.

Alternatively you can use Microsoft 365 Defender Advanced Hunting

1-Access Microsoft 365 Defender > Threat & Vulnerability Management > Advanced Hunting

2-Run KQL Query

// Query Audit Logs for Defender XDR and Sentinel Integration
AuditLogs
| where TimeGenerated >= ago(90d) // Adjust as needed
| where OperationName == "Integration with Microsoft Sentinel enabled"
or OperationName == "Integration with Microsoft Sentinel updated"
| project TimeGenerated, OperationName, InitiatedBy, ResultStatus
| order by TimeGenerated desc

I hope this helps you