Jan 09 2020 01:40 AM
Jan 09 2020 01:40 AM
we're trying to use our Sentinel to centralize alerts from all different E5 security solutions (wdatp, mcas, o365atp ..)
Are O365 Alerts available in sentinel? Or are only the base O365 events available via the "officeactivity" ?
For example: "Potentially unsafe URL click was detected"
Jan 09 2020 02:14 AM - edited Jan 09 2020 02:17 AM
I would suggest to follow the following steps:
Once that is done, Azure Sentinel will be able to get all the data that you listed above.
Then, I would suggest you to go the the "Analytics" blade (Azure Sentinel > Configuration > Analytics) and make sure that the Fusion rule is enabled as you have both Office 365 and MCAS and Fusion is a very advanced engine that correlate incidents from both Office 365 and MCAS to find incidents that are high fidelity, and high severity.
Then I would suggest to go to the Rule Templates and select and create the "Microsoft Security" rules, you should find what you are looking for.
(below on the right you can click on "Create"
Jan 09 2020 05:48 AMSolution
If i'm not mistaken Office Security & Compliance Center Alerts Connector is currently in private preview.
Alternatively, you could ingest these alerts via Graph Security API https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-office-365-alerts-with-graph-securit...
Jan 09 2020 06:01 AM
hey all, thanks for the quick replies! We do have all connectors live for the security solutions and have the MCAS/WDATP/ASC/IdentityProtection Analytics rules enabled.
The question was indeed about O365 alerts (not the events/logs) feeding in to Sentinel. I'll give the Graph API way a shot for now! We want to be on top of 'clicked-on-phishing-link' alerts as they present a significant risk to our org so having these alerts in Sentinel would be really helpful
Jul 14 2020 07:49 AM
has this changed?
The default "A potentially malicious URL click was detected" alert policy in my demo tenant has these alerts as high severity and as it's a default policy the severity cannot be altered so it appears to be high by default now.
The following defaults are all still informational though:
Would be nice if the severity of these could be altered.