Forum Discussion
Getting Office 365 Security Events and Incidents in Sentinel
I’ve created a custom detection in Office 365’s security portal that generated an incident, but that incident is not showing up in Azure Sentinel. I’ve done queries in Sentinel via the...
Thijs Lecomte Say you do this:
go to security.microsoft.com/advanced-hunting
You create a query and then "Create detection rule"
Now you've got a Custom Detection; how do you set a notification policy for it? Within the detection you can configure actions, but email notifications/alerts isn't one of them. I ended up giving up and based on feedback I've seen from a couple of sources moved my custom detection rules from Office 365 back to ATP. What I really wanted was to feed it all to Azure Sentinel, but the best combination of flexibility and alerting seems to be at the ATP level.
I see
Then I would advise you to connect MDATP to Sentinel (https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protection)
And enable the analytics rule - Create incidents based on Microsoft Defender Advanced Threat Protection alerts
Then I would advise you to connect MDATP to Sentinel (https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protection)
And enable the analytics rule - Create incidents based on Microsoft Defender Advanced Threat Protection alerts
Thank you I'll investigate...