Blog Post

Microsoft Sentinel Blog
3 MIN READ

What’s new: Microsoft 365 Defender connector now in Public Preview for Microsoft Sentinel

Sarah_Young's avatar
Sarah_Young
Icon for Microsoft rankMicrosoft
Nov 09, 2020

This installment is part of a broader series to keep you up to date with the latest features in Microsoft Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

NOTE: Microsoft 365 Defender was formerly known as Microsoft Threat Protection or MTP. Microsoft Defender for Endpoint was formerly known as Microsoft Defender Advanced Threat Protection or MDATP.

 

We’re very pleased to announce that the public preview of the new Microsoft 365 Defender connector is now available, alongside a new Microsoft Sentinel benefit for Microsoft 365 E5 customers! The M365 Defender connector lets you stream advanced hunting logs - a type of raw event data - from Microsoft 365 Defender into Microsoft Sentinel. Click here to look at Microsoft documentation page on this connector.

 

With the integration of Microsoft Defender for Endpoint (MDATP) into the Microsoft 365 Defender security umbrella, you can now collect your Microsoft Defender for Endpoint advanced hunting events using the Microsoft 365 Defender connector, and stream them straight into new purpose-built tables in your Microsoft Sentinel workspace. These tables are built on the same schema that is used in the Microsoft 365 Defender portal, giving you complete access to the full set of advanced hunting logs, and allowing you to do the following:

 

  • Easily copy your existing Microsoft Defender ATP advanced hunting queries into Microsoft Sentinel.
  • Use the raw event logs to provide additional insights for your alerts, hunting, and investigation, and correlate events with data from additional data sources in Microsoft Sentinel.
  • Store the logs with increased retention, beyond Microsoft Defender for Endpoint or Microsoft 365 Defender’s default retention of 30 days. You can do so by configuring the retention of your workspace or by configuring per-table retention in Log Analytics.

 

How to enable the Microsoft 365 Defender connector in Microsoft Sentinel

 

Prerequisites

  • You must have a valid license for Microsoft Defender for Endpoint, as described in Set up Microsoft Defender for Endpoint deployment.
  • Your user must be assigned the Global Administrator role on the tenant (in Azure Active Directory).

 

  1. From the Microsoft Sentinel navigation menu, select Data connectors.
  2. Select Microsoft 365 Defender from the data connectors gallery, and then select Open Connector Page on the preview pane.
  3. On the Microsoft 365 Defender connector page, under Connect events and Microsoft Defender for Endpoint tick the boxes for the types of logs you would like to be sent to Azure Sentinel and select Apply Changes.

 

And that’s it! You will now have Microsoft Defender for Endpoint logs connected to your Sentinel workspace.

 

 

A new Microsoft Sentinel benefit for Microsoft 365 E5 customers

 

With this new offer, you can take advantage of end-to-end integrated security and save significant costs when ingesting Microsoft 365 data into Microsoft Sentinel. From November 1, 2020 through May 1, 2021, Microsoft 365 E5 and Microsoft 365 E5 Security customers can receive a data grant of up to 100 MB per user/month to ingest Microsoft 365 data, including Microsoft 365 advanced hunting data (including Microsoft Defender for Endpoint logs) described in this blog. For more details, please visit the M365 E5 Sentinel benefit website.

 

 

Get started today!

 

Try out the new connector and let us know your feedback using any of the channels listed in the Resources.

 

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Microsoft Sentinel Threat Hunters GitHub community!

Updated Nov 03, 2021
Version 4.0
detection
Hunting
investigation
microsoft sentinel
security
  • SimonTTUK's avatar
    SimonTTUK
    Brass Contributor
    Mar 04, 2022

    Is there anyway to enable this connector with code? Are there any plans to support enabling/managing this connector as code?

    As an MSP we want an efficient way enable this for customers and query whether it is enabled.

  • Sarah_Young's avatar
    Sarah_Young
    Icon for Microsoft rankMicrosoft
    Mar 11, 2021

    Hi RamonMunoz 

     

    You are correct: incidents (including alerts and entities) are imported for free through the M365D connector, you only pay for log ingestion if you chose enable those logs being ingested.

  • RamonMunoz's avatar
    RamonMunoz
    Copper Contributor
    Mar 10, 2021

    Hi, I am also worried about the cost of the data ingestion.

    As far as I understand you can enable the connector but let the different log sources disabled

    DeviceInfo - Machine information (including OS information)
    DeviceNetworkInfo - Network properties of machines
    DeviceProcessEvents - Process creation and related events
    DeviceNetworkEvents - Network connection and related events
    DeviceFileEvents - File creation, modification, and other file system events
    DeviceRegistryEvents - Creation and modification of registry entries
    DeviceLogonEvents - Sign-ins and other authentication events
    DeviceImageLoadEvents - DLL loading events
    DeviceEvents - Additional events types
    DeviceFileCertificateInfo - Certificate information of signed files

    This should give you the Alert grouping and incident sync but will not add additional costs  
    (If i am wrong please correct me)
    The pricing is confusing and adding things like "temporal offers" with discounts for X months, do not help.

     
     
  • Sarah_Young's avatar
    Sarah_Young
    Icon for Microsoft rankMicrosoft
    Jan 21, 2021

    Lance_Peterson the process for disconnecting should be the same as any other Sentinel connector in the UI - unselect the log types and then hit "Apply Changes". If this button is greyed out this means you don't have permissions to add/remove connectors on the account you're using. 

     

    If this doesn't help, I suggest you raise a support ticket so they can look into why you can't remove the connector.                 

  • Lance_Peterson's avatar
    Lance_Peterson
    Copper Contributor
    Jan 20, 2021

    Once activated we are unable to deactivate the connector GUI or URI.  The connector is is not available through URI commands so we can not disable it that way either.

     

    What is the process for disconnecting this?

     

    Thanks!

  • KerimTupkovic's avatar
    KerimTupkovic
    Copper Contributor
    Jan 12, 2021

    Hi CraigK_ ,
    You could also achieve this with a KQL query. For example, you could collect all Informationals and close them all in once with KQL query. Is this what you were asking? or did I get it wrong.

     

    Also I don't know where you are located but there is an Sentinel update coming where you will be able to filter all alerts per severity (informationals, low, medium so on). I am currently stated in the Netherlands and for us it's not available jet. In USA it is I think. Please let me know if Sara or me were able to solve your question.

     

    Best regards,

    Kerim Tupkovic

  • CraigK_'s avatar
    CraigK_
    Copper Contributor
    Jan 08, 2021

    Hello Sarah_Young and KerimTupkovic,

    Can you share if there is any plan for a feature to clear/delete data such as logs, incidents, and alerts through the connector? This would be quite valuable for R&D, testing and training environments. Thanks.