SecurityAlert doesn't include important alert details

Question

In the MS 365 Defender, we have an alert generated on "Granted mailbox permission" activity. This event shows up in the SecurityEvent and OfficeActivity $tables, over in Log Analytics.

In OfficeActivity, it holds all the information about who did it, and who they did it to.

In SecurityAlerts, it only includes the "who did it" information, but not the "who they did it to" information.

This means Analysts can't use Sentinel for investigation, and have to go off to other portals to get more info and it means we can't write playbooks using the Sentinel Alerts trigger.

Are we missing something?

garybushey · Answer

AndrewX&nbsp;I believe this is the reason the new Microsoft 365 Defender data connector (currently in preview) was created.&nbsp; It will allow you to ingest more information from the various defender products if you need them.

andrewx · Answer

So for now shall we keep using the other portals, where the information is already available?

I just wish we could create alerts/notifications using playbooks for these events. Looks like ill have to write a custom Kusto query in LA and create an $1.50 alert based on it for now.

garybushey · Answer

I'm saying the new data connector will copy the information from Defender and put into MS Sentinel so you can write the query to return all the data you want in it

andrewx · Answer

Apologies, but i don't see that. The data in the alert is only half of what is in Defender?Or are you saying that i get half of the data from the alert, then pivot/join to the OfficeActivity table and get the rest from there?

garybushey · Answer

If there isn't enough data in your alert, you can change the alert rule to add the additional data from the other M365 tables that the new data connector ingests

Forum Discussion

SecurityAlert doesn't include important alert details

5 Replies

Resources