Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Office365 S&C Alerts available in Sentinel?

Brass Contributor

Hey all,


we're trying to use our Sentinel to centralize alerts from all different E5 security solutions (wdatp, mcas, o365atp ..) 

Are O365 Alerts available in sentinel? Or are only the base O365 events available via the "officeactivity" ?
For example: "Potentially unsafe URL click was detected

Thanks, Maarten.

15 Replies

Hello Maarten,

I would suggest to follow the following steps:


  1. Connect data from Azure Active Directory
  2. Connect data from Office 365 Logs
  3. Connect data from Azure Activity log
  4. Connect data from Azure AD Identity Protection (If deployed too)
  5. Connect alerts from Microsoft Defender Advanced Threat Protection
  6. Connect data from Azure Security Center

Once that is done, Azure Sentinel will be able to get all the data that you listed above.
Then, I would suggest you to go the the "Analytics" blade (Azure Sentinel > Configuration > Analytics) and make sure that the Fusion rule is enabled as you have both Office 365 and MCAS and Fusion is a very advanced engine that correlate incidents from both Office 365 and MCAS to find incidents that are high fidelity, and high severity.


Then I would suggest to go to the Rule Templates and select and create the "Microsoft Security" rules, you should find what you are looking for.


(below on the right you can click on "Create"

Kind Regards,

The URL events are informational, and don't come over to Sentinel.



best response confirmed by mclaes (Brass Contributor)



If i'm not mistaken Office Security & Compliance Center Alerts Connector is currently in private preview.


Alternatively, you could ingest these alerts via Graph Security API



hey all, thanks for the quick replies! We do have all connectors live for the security solutions and have the MCAS/WDATP/ASC/IdentityProtection Analytics rules enabled.

The question was indeed about O365 alerts (not the events/logs) feeding in to Sentinel. I'll give the Graph API way a shot for now! We want to be on top of 'clicked-on-phishing-link' alerts as they present a significant risk to our org so having these alerts in Sentinel would be really helpful

Cheers, Maarten.


Having the same issue, were you able to integrate the alerts into Sentinel?

Hi @CurlX2305, a private preview for O365 SCC alerts is about to start. Join our Private Previews program to particiapte. 

@Ofer_Shezaf Do you know the name of the preview? Is it the "MDATP Alert Integration Improvements" private preview?

@CurlX : No. Not sure what the official name is but it would be Office ATP and not MDATP.

@Ofer_Shezaf thanks for your reply. Then it might not be an active private preview yet as I dont see it in the preview list I received today...



@CurlX : I believe the name is "Office 365 Alerts Connector". The latest private preview bulletin is a few weeks old and marks this preview as closed, but it was opened since. 



has this changed?


The default "A potentially malicious URL click was detected" alert policy in my demo tenant has these alerts as high severity and as it's a default policy the severity cannot be altered so it appears to be high by default now.


The following defaults are all still informational though:


  • Email messages containing malware removed after delivery
  • mail messages containing phish URLs removed after delivery
  • Email reported by user as malware or phish

Would be nice if the severity of these could be altered.



@PJR_CDF , @Ofer_Shezaf  - Is it this one? - "Office 365 Advanced Threat Protection (Preview)"

Is the connector still in private preview?



Update 03/22, this event "Potentially unsafe URL click was detected" can be found under connectors:

  • Microsoft 365 Defender
  • Microsoft Defender for Office 365

SecurityAlert table in sentinel