Forum Discussion
AnalystGuy
Aug 12, 2020Copper Contributor
Getting Office 365 Security Events and Incidents in Sentinel
I’ve created a custom detection in Office 365’s security portal that generated an incident, but that incident is not showing up in Azure Sentinel. I’ve done queries in Sentinel via the...
AnalystGuy
Aug 25, 2020Copper Contributor
Thijs Lecomte Say you do this:
go to security.microsoft.com/advanced-hunting
You create a query and then "Create detection rule"
Now you've got a Custom Detection; how do you set a notification policy for it? Within the detection you can configure actions, but email notifications/alerts isn't one of them. I ended up giving up and based on feedback I've seen from a couple of sources moved my custom detection rules from Office 365 back to ATP. What I really wanted was to feed it all to Azure Sentinel, but the best combination of flexibility and alerting seems to be at the ATP level.
Thijs Lecomte
Aug 26, 2020Bronze Contributor
I see
Then I would advise you to connect MDATP to Sentinel (https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protection)
And enable the analytics rule - Create incidents based on Microsoft Defender Advanced Threat Protection alerts
Then I would advise you to connect MDATP to Sentinel (https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protection)
And enable the analytics rule - Create incidents based on Microsoft Defender Advanced Threat Protection alerts
- AnalystGuySep 11, 2020Copper Contributor
Thank you I'll investigate...