Forum Discussion
Office365 S&C Alerts available in Sentinel?
Hey all,
we're trying to use our Sentinel to centralize alerts from all different E5 security solutions (wdatp, mcas, o365atp ..)
Are O365 Alerts available in sentinel? Or are only the base O365 events available via the "officeactivity" ?
For example: "Potentially unsafe URL click was detected"
Thanks, Maarten.
If i'm not mistaken Office Security & Compliance Center Alerts Connector is currently in private preview.
Alternatively, you could ingest these alerts via Graph Security API https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-office-365-alerts-with-graph-security-api/ba-p/984888
15 Replies
If i'm not mistaken Office Security & Compliance Center Alerts Connector is currently in private preview.
Alternatively, you could ingest these alerts via Graph Security API https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-office-365-alerts-with-graph-security-api/ba-p/984888
- Is the connector still in private preview?
Update 03/22, this event "Potentially unsafe URL click was detected" can be found under connectors:
- Microsoft 365 Defender
- Microsoft Defender for Office 365
SecurityAlert table in sentinel
hey all, thanks for the quick replies! We do have all connectors live for the security solutions and have the MCAS/WDATP/ASC/IdentityProtection Analytics rules enabled.
The question was indeed about O365 alerts (not the events/logs) feeding in to Sentinel. I'll give the Graph API way a shot for now! We want to be on top of 'clicked-on-phishing-link' alerts as they present a significant risk to our org so having these alerts in Sentinel would be really helpfulCheers, Maarten.
has this changed?
The default "A potentially malicious URL click was detected" alert policy in my demo tenant has these alerts as high severity and as it's a default policy the severity cannot be altered so it appears to be high by default now.
The following defaults are all still informational though:
- Email messages containing malware removed after delivery
- mail messages containing phish URLs removed after delivery
- Email reported by user as malware or phish
Would be nice if the severity of these could be altered.
Paul
PJR_CDF , Ofer_Shezaf - Is it this one? - "Office 365 Advanced Threat Protection (Preview)"
Hello Maarten,
I would suggest to follow the following steps:- Connect data from Azure Active Directory
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory - Connect data from Office 365 Logs
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 - Connect data from Azure Activity log
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-activity - Connect data from Azure AD Identity Protection (If deployed too)
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-ad-identity-protection - Connect alerts from Microsoft Defender Advanced Threat Protection
https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protection - Connect data from Azure Security Center
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center
Once that is done, Azure Sentinel will be able to get all the data that you listed above.
Then, I would suggest you to go the the "Analytics" blade (Azure Sentinel > Configuration > Analytics) and make sure that the Fusion rule is enabled as you have both Office 365 and MCAS and Fusion is a very advanced engine that correlate incidents from both Office 365 and MCAS to find incidents that are high fidelity, and high severity.(https://docs.microsoft.com/en-us/azure/sentinel/fusion)
Then I would suggest to go to the Rule Templates and select and create the "Microsoft Security" rules, you should find what you are looking for.(below on the right you can click on "Create"
Kind Regards,
Thomas- Connect data from Azure Active Directory
