SOLVED

365 Defender integration with Azure Sentinel not working

%3CLINGO-SUB%20id%3D%22lingo-sub-2250745%22%20slang%3D%22en-US%22%3E365%20Defender%20integration%20with%20Azure%20Sentinel%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2250745%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20enabled%20the%20connector%20of%20'Defender%20for%20Office%20365'%20for%20my%20sentinel%20but%20it's%20more%20than%2015%20days%20and%20it%20has%20not%20ingested%20any%20data%20at%20all.%3C%2FP%3E%3CP%3ECan%20someone%20tell%20what's%20the%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yash_Mudaliar_0-1617365996591.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269114iEDB610C6FEF07C60%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Yash_Mudaliar_0-1617365996591.png%22%20alt%3D%22Yash_Mudaliar_0-1617365996591.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251536%22%20slang%3D%22en-US%22%3ERe%3A%20365%20Defender%20integration%20with%20Azure%20Sentinel%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251536%22%20slang%3D%22en-US%22%3EHello%20Yash%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20checked%20to%20see%20if%20you%20have%20any%20alerts%20in%20protection.office.com%3F%20The%20connector%20only%20receives%20a%20log%20entry%20for%20an%20actual%20alert.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20-%20Prerequisites%3CBR%20%2F%3ETo%20integrate%20with%20Microsoft%20Defender%20for%20Office%20365%20(Preview)%20make%20sure%20you%20have%3A%3CBR%20%2F%3EWorkspace%3A%20read%20and%20write%20permissions%20are%20required.%3CBR%20%2F%3E%3CBR%20%2F%3ETenant%20Permissions%3A%20required%20'Global%20Administrator'%20or%20'Security%20Administrator'%20on%20the%20workspace's%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3ELicense%3A%20required%20Microsoft%20Defender%20for%20Office%20365%20Plan%202%20(included%20with%20the%20Office%20365%20E5%2C%20Office%20365%20A5%2C%20and%20Microsoft%20365%20E5%20licenses%2C%20and%20available%20for%20purchase%20separately)%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20You%3CBR%20%2F%3EJon%20Bub%3CBR%20%2F%3EArbala%20Security%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251911%22%20slang%3D%22en-US%22%3ERe%3A%20365%20Defender%20integration%20with%20Azure%20Sentinel%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251911%22%20slang%3D%22en-US%22%3EHello%20Jon%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%20that's%20how%20I%20got%20to%20know%20that%20the%20connector%20is%20not%20working.%20I%20have%20alerts%20getting%20generated%20daily%20in%20the%20S%26amp%3BC%20center%20but%20most%20of%20them%20are%20missing%20in%20Sentinel.%20In%20fact%2C%20there%20is%20not%20even%20a%20single%20event%20or%20log%20generated%20which%20is%20bothering%20me%20the%20most.%3CBR%20%2F%3EAlso%2C%20I%20have%20checked%20for%20the%20pre-requisites%20and%20they%20are%20already%20in%20place.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2257103%22%20slang%3D%22en-US%22%3ERe%3A%20365%20Defender%20integration%20with%20Azure%20Sentinel%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2257103%22%20slang%3D%22en-US%22%3EHi%20Jon%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20stand-alone%20defender%20licenses%20suffice%20Per%20endpoint%3F%3CBR%20%2F%3EThanks.%3CBR%20%2F%3EBF%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2261353%22%20slang%3D%22en-US%22%3ERe%3A%20365%20Defender%20integration%20with%20Azure%20Sentinel%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2261353%22%20slang%3D%22en-US%22%3EGot%20this%20sorted%20via%20an%20MSP%20ticket.%20It%20seems%20it%20only%20ingests%20some%20specific%20alert%20categories%20from%20Office%20365%20and%20not%20all.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2261363%22%20slang%3D%22en-US%22%3ERe%3A%20365%20Defender%20integration%20with%20Azure%20Sentinel%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2261363%22%20slang%3D%22en-US%22%3Ehi%20Yash%2C%3CBR%20%2F%3ECan%20you%20answer%20my%20question%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello folks,

 

I have enabled the connector of 'Defender for Office 365' for my sentinel but it's more than 15 days and it has not ingested any data at all.

Can someone tell what's the issue?

 

Yash_Mudaliar_0-1617365996591.png

 

10 Replies
Hello Yash,

Have you checked to see if you have any alerts in protection.office.com? The connector only receives a log entry for an actual alert.

Also - Prerequisites
To integrate with Microsoft Defender for Office 365 (Preview) make sure you have:
Workspace: read and write permissions are required.

Tenant Permissions: required 'Global Administrator' or 'Security Administrator' on the workspace's tenant.

License: required Microsoft Defender for Office 365 Plan 2 (included with the Office 365 E5, Office 365 A5, and Microsoft 365 E5 licenses, and available for purchase separately)

Thank You
Jon Bub
Arbala Security
Hello Jon,

Yes that's how I got to know that the connector is not working. I have alerts getting generated daily in the S&C center but most of them are missing in Sentinel. In fact, there is not even a single event or log generated which is bothering me the most.
Also, I have checked for the pre-requisites and they are already in place.
Hi Jon,

Would stand-alone defender licenses suffice Per endpoint?
Thanks.
BF
best response confirmed by Yash_Mudaliar (Occasional Contributor)
Solution
Got this sorted via an MSP ticket. It seems it only ingests some specific alert categories from Office 365 and not all.
hi Yash,
Can you answer my question?
Hey @Yash

Would it possible to share the list of specific alert categories which gets ingested and is there a option to ingest other alerts?

Kishore
Sorry mate, couldn't understand your question. Can you please elaborate.
Sure Kishore, below is the page that specifies the list of alerts:

https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365-advanced-threat-protection

Regarding ingesting other alerts ,the only way I have found is to define a logic app and specify the alert vendor as 'Office 365 Security and Compliance' and it works.
If I use the license:

Microsoft Defender Advanced Threat Protection

Per endpoint, will this work to ingest telemetry data into Sentinel?
Or will I need to use this tool AND the Microsoft/agent log collector.

--

What do I need to send to CUSTOMER A to install on their endpoint?