cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Getting Office 365 Security Events and Incidents in Sentinel

AnalystGuy
Copper Contributor

‎Aug 12 2020 04:51 PM

‎Aug 12 2020 04:51 PM

Getting Office 365 Security Events and Incidents in Sentinel

              I’ve created a custom detection in Office 365’s security portal that generated an incident, but that incident is not showing up in Azure Sentinel.  I’ve done queries in Sentinel via the following log types to no avail:

 

OfficeActivity (plenty of Office 365 activity shows up here, but not security incidents like the one in question)

SecurityAlert (Defender ATP Alerts DO show up, but not Office 365 alerts or incidents)

SecurityDetection

SecurityEvent (no data of this type at all)

 

              Where do I need to look or how do I start feeding O365 security events into Sentinel?

    If it's not yet possible, my secondary question is how can I get email notifications based on custom detections at the Office 365 Security level?  I get wonderful notifications from Defender ATP, but I followed Microsoft's breadcrumbs to creating detections in O365 but can't construct a notification policy based on them.

 

  Thanks in advance for any assistance!

 

Be safe...

2,345 Views
0 Likes
6 Replies
Reply
6 Replies
Thijs Lecomte

‎Aug 13 2020 10:41 AM

‎Aug 13 2020 10:41 AM

Re: Getting Office 365 Security Events and Incidents in Sentinel

Getting Office 365 alerts in Sentinel is not possible yet.

You can configure notifications by updating the alert policies at protection.office.com
0 Likes
Reply
AnalystGuy

‎Aug 13 2020 11:30 AM

‎Aug 13 2020 11:30 AM

Re: Getting Office 365 Security Events and Incidents in Sentinel

@Thijs Lecomte How do I configure a policy to enable alerts for custom detections?  The category and "Activity is" selectors in the alert policy wizard do not seem to provide a means to setup alerts for Office 365 custom detections.      I'm about ready to just move my custom detections back to the ATP level (if anybody knows of an automated way to do that let me know!). 

0 Likes
Reply
Thijs Lecomte

‎Aug 15 2020 07:50 AM

‎Aug 15 2020 07:50 AM

Re: Getting Office 365 Security Events and Incidents in Sentinel

Could you specify custom detections?
Not sure if I follow
0 Likes
Reply
AnalystGuy

‎Aug 25 2020 08:33 AM

‎Aug 25 2020 08:33 AM

Re: Getting Office 365 Security Events and Incidents in Sentinel

@Thijs Lecomte Say you do this:
go to security.microsoft.com/advanced-hunting

You create a query and then "Create detection rule"

Now you've got a Custom Detection; how do you set a notification policy for it?  Within the detection you can configure actions, but email notifications/alerts isn't one of them.  I ended up giving up and based on feedback I've seen from a couple of sources moved my custom detection rules from Office 365 back to ATP.  What I really wanted was to feed it all to Azure Sentinel, but the best combination of flexibility and alerting seems to be at the ATP level. 

0 Likes
Reply
Thijs Lecomte

‎Aug 26 2020 04:30 AM

‎Aug 26 2020 04:30 AM

Re: Getting Office 365 Security Events and Incidents in Sentinel

I see
Then I would advise you to connect MDATP to Sentinel (https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protectio...)

And enable the analytics rule - Create incidents based on Microsoft Defender Advanced Threat Protection alerts
0 Likes
Reply
AnalystGuy

‎Sep 11 2020 08:13 AM

‎Sep 11 2020 08:13 AM

Re: Getting Office 365 Security Events and Incidents in Sentinel

@Thijs Lecomte 

Thank you I'll investigate...

0 Likes
Reply