Oct 04 2021 07:45 AM
Oct 04 2021 07:45 AM
I understand that this feature is currently in preview, integrating the entire Defender 365 Suite into Sentinel and supporting bi-directionally sync.
Prior to this, my understanding was to route all the alerts via MCAS to avoid duplicate ID issues for example with Defender for Identity:
If both your services (Defender for Identity and Cloud App Security) are currently configured to send alert notifications to a SIEM, after enabling Defender for Identity integration in Cloud App Security, you'll start to receive duplicate SIEM notifications for the same alert. One alert will be issued from each service and they'll have different alert IDs. To avoid duplication and confusion, decide where you intend to perform alert management, and then stop SIEM notifications being sent from the other service.
Another benefit was with integrating Defender for Endpoint with MCAS to then have the ability for Cloud App Discovery to sanction/un-sanction apps, then there was the integration of Defender for Identity with Defender for Endpoint.
I guess what I'm trying to work out is that once we start using the new 365 Defender connector to Sentinel, what do we need to change in all the integrations we have setup with all the Defender suite pointing to MCAS? (also data ingestion cost savings come into play, when alerts directed to MCAS first)
The only thing I read was that you need to be aware of the incident creation rules and the need to delete them in 365 Defender to avoid duplicates, if also using in Sentinel.
Secondly, Am I correct to assume that all the 365 Defender Suite alerts will be at no charge?
Lastly, there is a note on top of all this stating "All Microsoft Cloud App Security alert types are now being onboarded to Microsoft 365 Defender" What would be great is a Best Practice 365 Defender integration guide. As there are so many portals that can be logged into.
Nov 16 2021 04:37 AM
I cannot answer all of your questions, but I can answer the second one. All M365 Defender Alerts and Incidents logs are free when ingested into Sentinel. If you need a more detailed view you can find it here: https://docs.microsoft.com/en-us/azure/sentinel/azure-sentinel-billing#free-data-sources
Nov 16 2021 09:31 AM