Forum Discussion
Thiago-Beier
Feb 08, 2024Brass Contributor
Microsoft XDR and defender endpoint to Sentinel
Hi everyone
I have a lab environment
01 CDX tenant MDE trial 90-day https://cdx.transform.microsoft.com/
- MDE licensed and devices onboarded
01 Azure subscription ($200/month) from my MCT subscription
-Sentinel enabled here
-Azure arc enabled here
I'm trying to forward/connect 01 CDX tenant MDE XDR and endpoint to Sentinel (MCT subscription)
Tried the following articles
https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration
Where at this one IExplorer breaks
Fetch Microsoft Defender XDR incidents | Microsoft Learn
Error Code: INET_E_CANNOT_CONNECT
any thoughts?
thanks in advance.
Thiago B.
- G_Wilson3468Iron Contributor
I would try a couple of things. First, try flushing your DNS and try again. If that does not work, rename the connections folder in the Windows registry. "HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/<version>/Internet Settings"
You can also try changing your DNS server.
Hope this helps.
- Thiago-BeierBrass ContributorI was able to complete https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration , waited 1 hour re-run and worked , got the tokens. However, from the sentinel part nothing changes it's like the Sentinel (azure subs #2) has no awareness about the MDE from M365 tenant (which is not the same Entra ID) as in the diagram added.
- rutgersmeetsBrass Contributor
Hi Thiago-Beier,
Is this the trial that you are using? https://developer.microsoft.com/en-us/microsoft-365/dev-program
Last time I used this, I noticed that Advanced Hunting in Defender for Endpoint was unavailable. This is pure speculation, but I think that this feature is expressly disabled for the Developer trial as the cost would be significant and not many developers would make use of it.
Have you considered signing up for a Defender for Endpoint P2 trial license via admin.microsoft.com in the tenant where your MCT subscription resides? Or in a new tenant, if cross-tenant log ingestion is what you are trying to achieve?
Kind regards,
Rutger