Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Why are these alerts in Microsoft Purview and not Microsoft Defender for Endpoint?

Brass Contributor

Hi all,

 

I'm hoping this might be an obvious thing that I'm missing, so apologies in advance for asking!

 

I regularly see alerts in Purview for a user creating a new/amending an email forwarding rule. I always follow up with them to confirm that this was them, even if it's internal.

 

I tried to firm up my knowledge around what to do in Defender if one of these rules did turn out to be malicious, but all of the guidance relates to these alerts being in Defender.

 

However, the alerts I see are always in Purview and never in Defender. Why is that?

  • Where is Purview pulling this data from?
  • Why is Defender not pulling this data down and alerting?
  • Should it be?
  • And how do I turn on the data stream/create alerts for this activity?

I tried some of the KQL queries in advanced hunting, and Defender can find the activity, it's just not alerting.

 

Also, when I was researching (last week), under the Defender 'Explorer' tab there was a cog settings wheel that showed that the Microsoft Defender for Endpoint connection was switched off. When I checked today, it's not there! How do I check whether the this connection is enabled, and if not, where and how do I enable it?!?

2 Replies

Hi!
Where is Purview pulling this data from?
--> Threat detection in Office 365 Security & Compliance (you can check the source within the alert in Purview or in Defender XDR)
Why is Defender not pulling this data down and alerting?
--> It does, maybe you need to activate the rule and set the alert: see under Defender XDR, Cloud Apps, Policy Management -> Suspicious inbox forwarding
And how do I turn on the data stream/create alerts for this activity?
--> In the settings of the above suspicious inbox forwarding rule

Hope that helps... the questions "Should it be?" and "How do I check whether the this connection is enabled, and if not, where and how do I enable it?!?" I did not understand.

Hi @adiii and @BillClarksonAntill

It turns out that Defender was showing these alerts as well, but I has set my filter to not show informational only. Doh!