Forum Discussion
Connecting data from Microsoft 365 Defender to Microsoft Sentinel
I understand Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together and are enriched by, alerts from Microsoft 365 Defender's component services: Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps etc...
One thing I want to clarify is there ever a need to onboard and connect, each individual related connector as well, such as Microsoft Defender for Endpoint or Microsoft Defender for Identity etc...?
2 Replies
Source: Connect Microsoft 365 Defender data to Microsoft Sentinel | Microsoft Learn
See line #1 from the note.
Clive_Watson - Don't suppose you are aware of any issues with the Microsoft Defender connector in Sentinel are you? It's worked fine for me since preview but now I get the following error on MDE and M365 Defender connector.
I came across the following article which suggests its somethign to do with the classic CA policy created when Intune is connected to Defender portal: https://www.lieben.nu/liebensraum/2020/06/aadsts50131-device-is-not-in-required-device-state-known-or-the-request-was-blocked-due-to-suspicious-activity-access-policy-or-security-policy-decisions-with-wdatp/#:~:text=If%20you%E2%80%99re%20trying%20to%20use%20the%20Windows%20Defender,see%20if%20you%E2%80%99re%20being%20blocked%20by%20conditional%20access. - I've seen another MSFT doc suggesting you should NOT delete this policy but instead you can exclude users, any thoughts?
