Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Getting Office 365 Security Events and Incidents in Sentinel

Copper Contributor

              I’ve created a custom detection in Office 365’s security portal that generated an incident, but that incident is not showing up in Azure Sentinel.  I’ve done queries in Sentinel via the following log types to no avail:


OfficeActivity (plenty of Office 365 activity shows up here, but not security incidents like the one in question)

SecurityAlert (Defender ATP Alerts DO show up, but not Office 365 alerts or incidents)


SecurityEvent (no data of this type at all)


              Where do I need to look or how do I start feeding O365 security events into Sentinel?

    If it's not yet possible, my secondary question is how can I get email notifications based on custom detections at the Office 365 Security level?  I get wonderful notifications from Defender ATP, but I followed Microsoft's breadcrumbs to creating detections in O365 but can't construct a notification policy based on them.


  Thanks in advance for any assistance!


Be safe...

6 Replies
Getting Office 365 alerts in Sentinel is not possible yet.

You can configure notifications by updating the alert policies at

@Thijs Lecomte How do I configure a policy to enable alerts for custom detections?  The category and "Activity is" selectors in the alert policy wizard do not seem to provide a means to setup alerts for Office 365 custom detections.      I'm about ready to just move my custom detections back to the ATP level (if anybody knows of an automated way to do that let me know!). 

Could you specify custom detections?
Not sure if I follow

@Thijs Lecomte Say you do this:
go to

You create a query and then "Create detection rule"

Now you've got a Custom Detection; how do you set a notification policy for it?  Within the detection you can configure actions, but email notifications/alerts isn't one of them.  I ended up giving up and based on feedback I've seen from a couple of sources moved my custom detection rules from Office 365 back to ATP.  What I really wanted was to feed it all to Azure Sentinel, but the best combination of flexibility and alerting seems to be at the ATP level. 

I see
Then I would advise you to connect MDATP to Sentinel (

And enable the analytics rule - Create incidents based on Microsoft Defender Advanced Threat Protection alerts

@Thijs Lecomte 

Thank you I'll investigate...