%3CLINGO-SUB%20id%3D%22lingo-sub-1865651%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20new%3A%20Microsoft%20365%20Defender%20connector%20now%20in%20Public%20Preview%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1865651%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20installment%20is%20part%20of%20a%20broader%20series%20to%20keep%20you%20up%20to%20date%20with%20the%20latest%20features%20in%20Azure%20Sentinel.%20The%20installments%20will%20be%20bite-sized%20to%20enable%20you%20to%20easily%20digest%20the%20new%20content.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3E%3CSTRONG%3ENOTE%3A%20Microsoft%20365%20Defender%20was%20formerly%20known%20as%20Microsoft%20Threat%20Protection%20or%20MTP.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3E%3CSTRONG%3EMicrosoft%20Defender%20for%20Endpoint%20was%20formerly%20known%20as%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20or%20MDATP.%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20very%20pleased%20to%20announce%20that%20the%20public%20preview%20of%20the%20new%20Microsoft%20365%20Defender%20connector%20is%20now%20available%2C%20alongside%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fm365-sentinel-offer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ea%26nbsp%3Bnew%20Azure%20Sentinel%20benefit%20for%20Microsoft%20365%20E5%20customers%3C%2FA%3E!%20The%20M365%20Defender%20connector%20lets%20you%20stream%20advanced%20hunting%20logs%20-%20a%20type%20of%20raw%20event%20data%20-%20from%20Microsoft%20365%20Defender%20into%20Azure%20Sentinel.%20Click%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-365-defender%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20to%20look%20at%20Microsoft%20documentation%20page%20on%20this%20connector.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20integration%20of%20Microsoft%20Defender%20for%20Endpoint%20(MDATP)%20into%20the%20Microsoft%20365%20Defender%20security%20umbrella%2C%20you%20can%20now%20collect%20your%20Microsoft%20Defender%20for%20Endpoint%20advanced%20hunting%20events%20using%20the%20Microsoft%20365%20Defender%20connector%2C%20and%20stream%20them%20straight%20into%20new%20purpose-built%20tables%20in%20your%20Azure%20Sentinel%20workspace.%20These%20tables%20are%20built%20on%20the%20same%20schema%20that%20is%20used%20in%20the%20Microsoft%20365%20Defender%20portal%2C%20giving%20you%20complete%20access%20to%20the%20full%20set%20of%20advanced%20hunting%20logs%2C%20and%20allowing%20you%20to%20do%20the%20following%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEasily%20copy%20your%20existing%20Microsoft%20Defender%20ATP%20advanced%20hunting%20queries%20into%20Azure%20Sentinel.%3C%2FLI%3E%0A%3CLI%3EUse%20the%20raw%20event%20logs%20to%20provide%20additional%20insights%20for%20your%20alerts%2C%20hunting%2C%20and%20investigation%2C%20and%20correlate%20events%20with%20data%20from%20additional%20data%20sources%20in%20Azure%20Sentinel.%3C%2FLI%3E%0A%3CLI%3EStore%20the%20logs%20with%20increased%20retention%2C%20beyond%20Microsoft%20Defender%20for%20Endpoint%20or%20Microsoft%20365%20Defender%E2%80%99s%20default%20retention%20of%2030%20days.%20You%20can%20do%20so%20by%20configuring%20the%20retention%20of%20your%20workspace%20or%20by%20configuring%20per-table%20retention%20in%20Log%20Analytics.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222020-11-04_11-04-28.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F232387iD8E0C5AD40470A53%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222020-11-04_11-04-28.png%22%20alt%3D%222020-11-04_11-04-28.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1210279921%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%20id%3D%22toc-hId--1210279893%22%3E%3CSTRONG%3EHow%20to%20enable%20the%20Microsoft%20365%20Defender%20connector%20in%20Azure%20Sentinel%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EPrerequisites%20%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EYou%20must%20have%20a%20valid%20license%20for%20Microsoft%20Defender%20for%20Endpoint%2C%20as%20described%20in%20Set%20up%20Microsoft%20Defender%20for%20Endpoint%20deployment.%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EYour%20user%20must%20be%20assigned%20the%20Global%20Administrator%20role%20on%20the%20tenant%20(in%20Azure%20Active%20Directory).%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EFrom%20the%20Azure%20Sentinel%20navigation%20menu%2C%20select%26nbsp%3B%3CSTRONG%3EData%20connectors%3C%2FSTRONG%3E.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222020-09-07_13-51-38.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F232216i260FBE67298083E9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222020-09-07_13-51-38.png%22%20alt%3D%222020-09-07_13-51-38.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3ESelect%20%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%22%3EMicrosoft%20365%20Defender%3C%2FSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%20from%20the%20data%20connectors%20gallery%2C%20and%20then%20select%20%3C%2FSPAN%3E%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%22%3EOpen%20Connector%20Page%3C%2FSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%20on%20the%20preview%20pane.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222020-11-04_11-02-11.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F232217i47D1398B65C84A0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222020-11-04_11-02-11.png%22%20alt%3D%222020-11-04_11-02-11.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EOn%20the%20%3CSTRONG%3EMicrosoft%20365%20Defender%3C%2FSTRONG%3E%20connector%20page%2C%20under%20%3CSTRONG%3EConnect%20events%20%3C%2FSTRONG%3Eand%3CSTRONG%3E%20Microsoft%20Defender%20for%20Endpoint%20%3C%2FSTRONG%3Etick%20the%20boxes%20for%20the%20types%20of%20logs%20you%20would%20like%20to%20be%20sent%20to%20Azure%20Sentinel%20and%20select%20%3CSTRONG%3EApply%20Changes.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222020-11-04_11-04-28.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F232218i6D306B1805170FF3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222020-11-04_11-04-28.png%22%20alt%3D%222020-11-04_11-04-28.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20that%E2%80%99s%20it!%20You%20will%20now%20have%20Microsoft%20Defender%20for%20Endpoint%20logs%20connected%20to%20your%20Sentinel%20workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1277232912%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%20id%3D%22toc-hId-1277232940%22%3E%3CSTRONG%3EA%20new%20Azure%20Sentinel%20benefit%20for%20Microsoft%20365%20E5%20customers%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20this%20new%20offer%2C%20you%20can%20take%20advantage%20of%20end-to-end%20integrated%20security%20and%20save%20significant%20costs%20when%20ingesting%20Microsoft%20365%20data%20into%20Azure%20Sentinel.%20From%20November%201%2C%202020%20through%20May%201%2C%202021%2C%20Microsoft%20365%20E5%20and%20Microsoft%20365%20E5%20Security%20customers%20can%20receive%20a%20data%20grant%20of%20up%20to%20100%20MB%20per%20user%2Fmonth%20to%20ingest%20Microsoft%20365%20data%2C%20including%20Microsoft%20365%20advanced%20hunting%20data%20(including%20Microsoft%20Defender%20for%20Endpoint%20logs)%20described%20in%20this%20blog.%20For%20more%20details%2C%20please%20visit%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fm365-sentinel-offer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethe%20M365%20E5%20Sentinel%20benefit%20website%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--530221551%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%20id%3D%22toc-hId--530221523%22%3E%3CSTRONG%3EGet%20started%20to%3C%2FSTRONG%3E%3CSTRONG%3Eday!%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETry%20out%20the%20new%20connector%20and%20let%20us%20know%20your%20feedback%20using%20any%20of%20the%20channels%20listed%20in%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fwiki%23resources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EResources%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20contribute%20new%20connectors%2C%20workbooks%2C%20analytics%20and%20more%20in%20Azure%20Sentinel.%20Get%20started%20now%20by%20joining%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fthreathunters%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Sentinel%20Threat%20Hunters%20GitHub%20community!%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1865651%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20public%20preview%20of%20the%20new%20Microsoft%20365%20Defender%20connector%20is%20now%20available%2C%20alongside%20a%26nbsp%3Bnew%20Azure%20Sentinel%20benefit%26nbsp%3B%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3Efor%20Microsoft%20365%20E5%20customers.%20This%20connector%20lets%20you%20stream%20advanced%20hunting%20logs%20-%20a%20type%20of%20raw%20event%20data%20-%20from%20Microsoft%20365%20Defender%20into%20Azure%20Sentinel.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22windows-defender-atp-banner-3.png%22%20style%3D%22width%3A%20550px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F232388iB09E5EA3B92524D7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22windows-defender-atp-banner-3.png%22%20alt%3D%22windows-defender-atp-banner-3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1865651%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWhat's%20new%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1868615%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Microsoft%20365%20Defender%20connector%20now%20in%20Public%20Preview%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1868615%22%20slang%3D%22en-US%22%3E%3CP%3EThank%26nbsp%3B%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3B%20.This%20is%20great%20to%20see%20the%20schema%20being%20exposed%20in%20Sentinel.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1870689%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Microsoft%20365%20Defender%20connector%20now%20in%20Public%20Preview%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1870689%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20Sharing%20with%20the%20Community%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3CBR%20%2F%3EAwesome!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1872397%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Microsoft%20365%20Defender%20connector%20now%20in%20Public%20Preview%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1872397%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1879193%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Microsoft%20365%20Defender%20connector%20now%20in%20Public%20Preview%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1879193%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%20for%20the%20info.%20I%20was%20getting%20used%20to%20the%20ATP%20terminologies%20and%20well%20MS%20came%20up%20with%20a%20simplified%20name.%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1883084%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Microsoft%20365%20Defender%20connector%20now%20in%20Public%20Preview%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1883084%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F644375%22%20target%3D%22_blank%22%3E%40KerimTupkovic%3C%2FA%3E%2C%20could%20you%20explain%20what%20you%20mean%20by%20%22suite%20data%20connector%22%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1921853%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Microsoft%20365%20Defender%20connector%20now%20in%20Public%20Preview%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1921853%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20very%20nice%20to%20have%20advanced%20hunting%20queries%20and%20raw%20logs%20to%20Azure%20Sentinel.%3C%2FP%3E%3CP%3EHowever%2C%20I%20am%20thinking%20that%20by%20bringing%20all%20your%20organization's%20%22telemetry%22%20to%20Log%20Analytics%20tables%20it%20would%20increase%20the%20cost%20extremely.%20Is%20it%20true%20or%20not%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EGrigorios%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

NOTE: Microsoft 365 Defender was formerly known as Microsoft Threat Protection or MTP. Microsoft Defender for Endpoint was formerly known as Microsoft Defender Advanced Threat Protection or MDATP.

 

We’re very pleased to announce that the public preview of the new Microsoft 365 Defender connector is now available, alongside a new Azure Sentinel benefit for Microsoft 365 E5 customers! The M365 Defender connector lets you stream advanced hunting logs - a type of raw event data - from Microsoft 365 Defender into Azure Sentinel. Click here to look at Microsoft documentation page on this connector.

 

With the integration of Microsoft Defender for Endpoint (MDATP) into the Microsoft 365 Defender security umbrella, you can now collect your Microsoft Defender for Endpoint advanced hunting events using the Microsoft 365 Defender connector, and stream them straight into new purpose-built tables in your Azure Sentinel workspace. These tables are built on the same schema that is used in the Microsoft 365 Defender portal, giving you complete access to the full set of advanced hunting logs, and allowing you to do the following:

 

  • Easily copy your existing Microsoft Defender ATP advanced hunting queries into Azure Sentinel.
  • Use the raw event logs to provide additional insights for your alerts, hunting, and investigation, and correlate events with data from additional data sources in Azure Sentinel.
  • Store the logs with increased retention, beyond Microsoft Defender for Endpoint or Microsoft 365 Defender’s default retention of 30 days. You can do so by configuring the retention of your workspace or by configuring per-table retention in Log Analytics.

2020-11-04_11-04-28.png

 

How to enable the Microsoft 365 Defender connector in Azure Sentinel

 

Prerequisites

  • You must have a valid license for Microsoft Defender for Endpoint, as described in Set up Microsoft Defender for Endpoint deployment.
  • Your user must be assigned the Global Administrator role on the tenant (in Azure Active Directory).

 

  1. From the Azure Sentinel navigation menu, select Data connectors.2020-09-07_13-51-38.png
  2. Select Microsoft 365 Defender from the data connectors gallery, and then select Open Connector Page on the preview pane.2020-11-04_11-02-11.png
  3. On the Microsoft 365 Defender connector page, under Connect events and Microsoft Defender for Endpoint tick the boxes for the types of logs you would like to be sent to Azure Sentinel and select Apply Changes.2020-11-04_11-04-28.png

 

And that’s it! You will now have Microsoft Defender for Endpoint logs connected to your Sentinel workspace.

 

 

A new Azure Sentinel benefit for Microsoft 365 E5 customers

 

With this new offer, you can take advantage of end-to-end integrated security and save significant costs when ingesting Microsoft 365 data into Azure Sentinel. From November 1, 2020 through May 1, 2021, Microsoft 365 E5 and Microsoft 365 E5 Security customers can receive a data grant of up to 100 MB per user/month to ingest Microsoft 365 data, including Microsoft 365 advanced hunting data (including Microsoft Defender for Endpoint logs) described in this blog. For more details, please visit the M365 E5 Sentinel benefit website.

 

 

Get started today!

 

Try out the new connector and let us know your feedback using any of the channels listed in the Resources.

 

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community!

10 Comments
Occasional Contributor

Thank  you @Sarah_Young  .This is great to see the schema being exposed in Sentinel. 

Thank you for Sharing with the Community @Sarah_Young :cool:
Awesome!

New Contributor

Thank you @Sarah_Young 

Contributor

Excellent work.

 

Thank you

New Contributor

thanks for the info. I was getting used to the ATP terminologies and well MS came up with a simplified name. Thanks.

Regular Visitor

@Sarah_Young thanks for posting! Could anyone tell me if there are any cost benefits by implementing suite data connector in Sentinel instead of per product? Thank you!

 

Kind Regards,

Kerim Tupkovic

Microsoft

Hi @KerimTupkovic, could you explain what you mean by "suite data connector"?

New Contributor

@Sarah_Young What @KerimTupkovic  meant by "suite data connector" is this new M365 Defender connector which supports all Defender products under one connector. Defender suite of products.

 

@KerimTupkovic  This new connector will not replace the individual Data connectors for all the four security solution under this new umbrella connector.

 

Microsoft 365 Defender (New Connector) : Is meant to collect advanced hunting logs only.

https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender

 

While the individual connectors like Microsoft Defender for Endpoint / MDATP : 

These are for collecting the alerts alone

https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protectio...

 

@Sarah_Young I too was a bit confused initially as I thought that this would collect alerts too and so would replace the separate connector.

Maybe a good idea to update the post with a note on the above point, for those who don't reach the comments section :)

 

Also maybe as a feedback on the design of connectors why not bring in the option to have a checkbox with "Alerts" under the new connector and do away with multiple different connectors. One place to rule them all. :)

Regular Visitor

That's very nice to have advanced hunting queries and raw logs to Azure Sentinel.

However, I am thinking that by bringing all your organization's "telemetry" to Log Analytics tables it would increase the cost extremely. Is it true or not?

 

Thank you,

Grigorios

Microsoft

@gregoval ingesting these logs will increase your ingestion rate on your Sentinel workspace, but by how much will depend on a number of factors. You can use our calculator to help estimate this. 

 

Also if you have E5 there is currently a benefit you can read more about - https://azure.microsoft.com/en-us/offers/sentinel-microsoft-365-offer/ 

 

Thanks!

Sarah