Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Why are these alerts in Microsoft Purview and not in Microsoft Defender for Endpoint?

Brass Contributor

Hi all,

 

I'm hoping this might be an obvious thing that I'm missing, so apologies in advance for asking!

 

I regularly see alerts in Purview for a user creating a new/amending an email forwarding rule. I always follow up with them to confirm that this was them, even if it's internal.

 

I tried to firm up my knowledge around what to do in Defender if one of these rules did turn out to be malicious, but all of the guidance relates to these alerts being in Defender.

 

However, the alerts I see are always in Purview and never in Defender. Why is that?

  • Where is Purview pulling this data from?
  • Why is Defender not pulling this data down and alerting?
  • Should it be?
  • And how do I turn on the data stream/create alerts for this activity?

I tried some of the KQL queries in advanced hunting, and Defender can find the activity, it's just not alerting.

 

Also, when I was researching (last week), under the Defender 'Explorer' tab there was a cog settings wheel that showed that the Microsoft Defender for Endpoint connection was switched off. When I checked today, it's not there! How do I check whether the this connection is enabled, and if not, where and how do I enable it?!?

1 Reply
best response confirmed by GI472 (Brass Contributor)
Solution

Hey @GI472

 

Answers are in red for you

 

  • Where is Purview pulling this data from? - Data is pulled from the Azure Service Fabric, Sharepoint, Azure Platform etc. Purview views data from an enterprise level rather than an individual service
  • Why is Defender not pulling this data down and alerting? - Defender will alert based on the Microsoft Defender products, so more security then compliance/data focused 
  • Should it be? - you can integrate Microsoft Purview Information protection into Sentinel if u want to see alerts generated within the Microsoft Security Stack. Sentinel provides you with an all eyes view of all security related alerts from the Defender Stack, Purview etc into one place
  • And how do I turn on the data stream/create alerts for this activity? - If u want to stream data and create alerts, you can use Sentinel to enable the data connector for Purview and alert, stream data etc into your sentinel workspace to look at

Hope this helps

1 best response

Accepted Solutions
best response confirmed by GI472 (Brass Contributor)
Solution

Hey @GI472

 

Answers are in red for you

 

  • Where is Purview pulling this data from? - Data is pulled from the Azure Service Fabric, Sharepoint, Azure Platform etc. Purview views data from an enterprise level rather than an individual service
  • Why is Defender not pulling this data down and alerting? - Defender will alert based on the Microsoft Defender products, so more security then compliance/data focused 
  • Should it be? - you can integrate Microsoft Purview Information protection into Sentinel if u want to see alerts generated within the Microsoft Security Stack. Sentinel provides you with an all eyes view of all security related alerts from the Defender Stack, Purview etc into one place
  • And how do I turn on the data stream/create alerts for this activity? - If u want to stream data and create alerts, you can use Sentinel to enable the data connector for Purview and alert, stream data etc into your sentinel workspace to look at

Hope this helps

View solution in original post