Forum Discussion
SecurityAlert doesn't include important alert details
In the MS 365 Defender, we have an alert generated on "Granted mailbox permission" activity. This event shows up in the SecurityEvent and OfficeActivity $tables, over in Log Analytics. In Office...
I'm saying the new data connector will copy the information from Defender and put into MS Sentinel so you can write the query to return all the data you want in it
Apologies, but i don't see that. The data in the alert is only half of what is in Defender?
Or are you saying that i get half of the data from the alert, then pivot/join to the OfficeActivity table and get the rest from there?
Or are you saying that i get half of the data from the alert, then pivot/join to the OfficeActivity table and get the rest from there?
- If there isn't enough data in your alert, you can change the alert rule to add the additional data from the other M365 tables that the new data connector ingests