Forum Discussion
SecurityAlert doesn't include important alert details
In the MS 365 Defender, we have an alert generated on "Granted mailbox permission" activity. This event shows up in the SecurityEvent and OfficeActivity $tables, over in Log Analytics. In Office...
So for now shall we keep using the other portals, where the information is already available?
I just wish we could create alerts/notifications using playbooks for these events. Looks like ill have to write a custom Kusto query in LA and create an $1.50 alert based on it for now.
I just wish we could create alerts/notifications using playbooks for these events. Looks like ill have to write a custom Kusto query in LA and create an $1.50 alert based on it for now.
I'm saying the new data connector will copy the information from Defender and put into MS Sentinel so you can write the query to return all the data you want in it
- Apologies, but i don't see that. The data in the alert is only half of what is in Defender?
Or are you saying that i get half of the data from the alert, then pivot/join to the OfficeActivity table and get the rest from there?- If there isn't enough data in your alert, you can change the alert rule to add the additional data from the other M365 tables that the new data connector ingests