Connect your Microsoft 365 Defender data to Microsoft Sentinel (2023)

  • article

microsoft guardianMicrosoft 365 AdvocateConnectors with event integration capabilities allow you to stream all events and alerts from Microsoft 365 Defender to Microsoft Sentinel and synchronize events between the two portals. Microsoft 365 Defender events include all alerts, entities, and other related information grouped together and enriched with alerts from Microsoft 365 Defender component services.Microsoft Defender Endpoint,Microsoft Defender Identity,Microsoft Defender para Office 365, IMicrosoft Defender for cloud applications, as well as alerts from other services such asMicrosoft Rights Data Loss Prevention (DLP)IAzure Active Directory Identity Protection (AADIP)

The connector also allows streamingadvanced huntingevent ofAllCopying older Defender components to Microsoft Sentinel allows you to copy advanced indexing queries for these Defender components to Microsoft Sentinel, enrich Sentinel alerts with raw event data from Defender components to provide more information, and store logs in Log Analytics and improve retention rates.

For more information about event integration and advanced hunting event collection, seeMicrosoft 365 Defender integrates with Microsoft Sentinel

The Microsoft 365 Defender Connector is now generally available.


For information on the availability of US government cloud capabilities, see the Microsoft Sentinel table:Cloud features available for US government customers


Prerequisites for Active Directory Synchronization via MDI

  • Your tenant must join Microsoft Defender for Identity.

  • An MDI sensor must be installed.

Connect to Microsoft 365 Defender

In Microsoft Sentinel, selectdata connector, chooseMicrosoft 365 AdvocateSelect from galleryOpen connector page

DiezSettingThe section is divided into three parts:

  1. Connect events and alertsSupports basic integration between Microsoft 365 Defender and Microsoft Sentinel to synchronize events and alerts between both platforms.

  2. Connect entitiesEnables the integration of local Active Directory user identities with Microsoft Sentinel through Microsoft Defender for Identity.

  3. connection eventsAllows you to collect raw, advanced hunting events from Defender components.

These are explained in more detail below. LookMicrosoft 365 Defender integrates with Microsoft Sentinelfor more information.

Connect events and alerts

To ingest and sync Microsoft 365 Defender events and all your alerts to the Microsoft Sentinel event queue:

  1. Check the box markedDisable all Microsoft event creation rules for these products. respectableto avoid repeated incidents.
    (When you connect the Microsoft 365 Defender connector, this check box will not appear.)

  2. chooseConnect events and alertsbutton.


When you enable Microsoft 365 Defender connectors, all Microsoft 365 Defender component connectors (the connectors listed at the beginning of this article) automatically connect in the background. To disconnect one of the component connectors, you must first disconnect the Microsoft 365 Defender connector.

To query event data from Microsoft 365 Defender, use the following statement in the query window:

Security incident | Where Provider Name == "Microsoft 365 Defender"

Connect entities

Use Microsoft Defender for Identity to synchronize user entities from on-premises Active Directory with Microsoft Sentinel.

Confirm that you are satisfiedpreconditionsUsed to synchronize local Active Directory users with Microsoft Defender for Identity (MDI).

  1. chooseGo to the UEBA configuration pageassociation.

  2. insideConfiguration of the individual's, if you have not already enabled UEBA, at the top of the page, slide the toggle button toexist

  3. classificationActive Directory (preview)check box and selectTo use

    Connect your Microsoft 365 Defender data to Microsoft Sentinel (1)

connection events

If you want to collect advanced search events from Microsoft Defender for Endpoint or Microsoft Defender for Office 365, you can collect the following types of events from their corresponding advanced search tables.

  1. In the table, select the check boxes next to the types of events you want to collect:

    • defender of the final point
    • Office 365 defender
    • identity defender
    • Cloud Application Guardian
    • defender alert
    Table nametype of activity
    Device InformationInformation about your computer, including information about your operating system
    Device network informationThe device's network properties, including physical cards, IP and MAC addresses, and connected networks and domains.
    device process eventsCreate processes and events related to them.
    Device Network EventsNetwork connections and related events.
    device file eventsCreation, modification and other events related to the file system.
    Device Registration EventCreate and modify registry keys
    Device login eventSign-ins and other authentication events on the device
    Device image load eventDLL load event
    device eventsMultiple event types, including those triggered by security mechanisms such as Windows Defender Antivirus and Vulnerability Protection
    Device file certificate informationCertificate information for the signed file obtained from the certificate verification event on the endpoint
  2. ClickMake changes

  3. To query an advanced lookup table in Log Analytics, enter the table name from the list above in the query window.

Check your data acquisition

The data graph on the connector page shows that it is downloading data. You will notice that it displays a row for events, alerts, and events, and that the events row is an aggregation of the event volume from all enabled tables. Once you enable the connector, you can use the KQL query below to generate more detailed charts.

Use the following KQL query to get a graph of incoming Microsoft 365 Defender events:

let's go now = now(); (time range from (14d) ago to Now-1d, step 1d | expand count = 0 | union isfuzzy=true ( SecurityIncident | where ProviderName == "Microsoft 365 Defender" | summarize Count = count() by bin_at(TimeGenerated, 1d , Now) ) | Sum by bin_at(TimeGenerated, 1d, Now) Count=max(Count) | Sort by TimeGenerate | Item value = iff(isnull(Count), 0, Count), Time = TimeGenerate, Legend = " Events" ) |Render Scheduling

Use the following KQL query to generate an event volume graph for a single table (changedevice eventstable for the table of your choice):

let Now = now();(TimeGenerate range from Aug(14d) to Now-1d Step 1d | Expand count = 0 | union isfuzzy=true (DeviceEvents | summarize Count = count() by bin_at(TimeGenerate, 1d, Now)) | Sum Count=max(Count) by bin_at(TimeGenerate, 1d, Now) | Sort by TimeGenerate | Item value = iff(isnull(Count), 0, Count), Time = TimeGenerate, Legend = "Events") | Surface render time

insidenext stepYou'll find useful workbooks, sample queries, and analysis rule templates included. You can run them in place or modify and save them.

next step

In this document, you learn how to use the Microsoft 365 Defender connector to integrate Microsoft 365 Defender events and advanced search event data from Microsoft Defender Component Services with Microsoft Sentinel. For more information about Microsoft Sentinel, see the following articles:


How do I connect Microsoft Defender to Sentinel? ›

Add the Microsoft 365 Defender Connector

Login to the Azure Portal and navigate to Microsoft Sentinel > Pick the relevant workspace to integrate with Microsoft 365 Defender.

How do I connect data connectors to Sentinel? ›

Enable a data connector

From the Data connectors page, select the active or custom connector you want to connect, and then select Open connector page. If you don't see the data connector you want, install the solution associated with it from the Content Hub.

How do I activate Microsoft 365 defender? ›

Activate in Microsoft 365 Defender settings
  1. Sign in to the Microsoft 365 Defender portal.
  2. In the navigation pane, select Settings.
  3. Select Microsoft 365 Defender.
  4. Select Permissions and roles. ...
  5. Select the toggle for the workload you want to activate.
  6. Select Activate on the confirmation message.
Aug 7, 2023

What is the difference between Sentinel and Defender 365? ›

Microsoft 365 Defender is ideal for organizations that rely heavily on Microsoft 365 services and want to protect their system against future threats. Microsoft Sentinel works best for organizations that need a comprehensive security solution to react effectively in response to a security breach.

Does SentinelOne work with Windows Defender? ›

SentinelOne will seamlessly feed all threats and detections from Mac and Linux endpoints into the Windows Defender ATP console, enabling security teams to see and remediate threats across Windows, Mac, and Linux platforms.

How do I connect my defender to Intune? ›

Configure Microsoft Defender for Endpoint in Intune
  1. Select Settings > Endpoints > Advanced features > enable Microsoft Intune connection.
  2. Select Endpoint security > Microsoft Defender for Endpoint > Confirm connection status: Available.
Feb 24, 2023

What is defender for cloud data connector sentinel? ›

This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents.

What is Microsoft Sentinel? ›

What is Microsoft Sentinel, and how does it work? Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise—fast.

How does a data connector work? ›

Data connectors are software components that automatically extract data, sometimes periodically, from one or more upstream data sources and land that data in another database. Data connectors are common in most business intelligence, analytics and data science applications and frameworks.

Do I need Microsoft 365 defender? ›

Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard your organization from harmful links in real time.

How does Microsoft 365 defender work? ›

The Microsoft 365 Defender portal helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for: Incidents & alerts. Hunting.

What license do I need for Microsoft Defender for Office 365? ›

Licensing requirements

Any of these licenses gives you access to Microsoft 365 Defender features via the Microsoft 365 Defender portal without additional cost: Microsoft 365 E5 or A5. Microsoft 365 E3 with the Microsoft 365 E5 Security add-on. Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on.

Does SentinelOne disable defender? ›

Use this command to disable Windows Security Center (WSC). It is not recommended to disable WSC. By default, the SentinelOne Windows Agent registers with WSC as anti-virus protection and Windows Defender is disabled.

Why would you use Microsoft Sentinel? ›

Microsoft Sentinel aggregates data from all sources, including users, applications, servers, and devices running on premises or in any cloud, letting you reason over millions of records in a few seconds. It includes built-in connectors for easy onboarding of popular security solutions.

Is Microsoft 365 defender the same as Microsoft Defender? ›

While Microsoft Defender for Office 365 and Microsoft Defender for Endpoint provide distinct functionalities, it is recommended to use both security solutions to protect vital business data from malicious emails as well as from ever-increasing cybersecurity attacks to ensure complete data integrity.

How do I onboard a device to Microsoft Defender for Endpoint? ›

Go to the Microsoft 365 Defender portal (, and sign in.
  1. In the navigation pane, choose Settings > Endpoints, and then under Device management, choose Onboarding.
  2. Select Windows 10 and 11, and then, in the Deployment method section, choose Local script.
  3. Select Download onboarding package.
Aug 8, 2023

How to connect to Windows Defender? ›

To turn on Microsoft Defender Antivirus in Windows Security, go to Start > Settings > Update & Security > Windows Security > Virus & threat protection. Then, select Manage settings (or Virus & threat protection settings in early versions of Windows 10} and switch Real-time protection to On.

How do I sync Microsoft Defender for endpoint? ›

To enable Defender for Endpoint integration with Defender for Cloud Apps:
  1. In Microsoft 365 Defender, from the navigation pane, select Settings.
  2. Select Endpoints.
  3. Under General, select Advanced features.
  4. Toggle the Microsoft Defender for Cloud Apps to On.
  5. Select Apply.
Jun 18, 2023


Top Articles
Latest Posts
Article information

Author: Pres. Lawanda Wiegand

Last Updated: 21/09/2023

Views: 5761

Rating: 4 / 5 (51 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Pres. Lawanda Wiegand

Birthday: 1993-01-10

Address: Suite 391 6963 Ullrich Shore, Bellefort, WI 01350-7893

Phone: +6806610432415

Job: Dynamic Manufacturing Assistant

Hobby: amateur radio, Taekwondo, Wood carving, Parkour, Skateboarding, Running, Rafting

Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.