Wednesday, May 11, 2022

What’s new: Closer integration between Microsoft Sentinel and Microsoft 365 Defender

Over a year ago, we first announced the integration between Microsoft Sentinel and Microsoft 365 Defender as part of the Microsoft SIEM and XDR story. Combining the breadth of a SIEM with the depth of XDR to give security professionals the integrated toolset they need to fight against attacks that take advantage of today’s diverse, distributed, and complex environments.


Today, we are happy to share several new preview updates: 


  • Added new support for six Microsoft 365 Defender ‘Advanced Hunting’ data tables (details about each table below).   
  • Bi-directional incident integration available in Azure Government clouds 
  • Microsoft Defender for Office 365 (MDO) alerts are now included in Microsoft 365 Defender incidents and are available in Microsoft Sentinel.  


Microsoft 365 Defender correlates raw events from all its security components, combining signal and alert data into holistic incidents across endpoints, data, email, identities, applications and IoT. This data enables proactively investigating events in your network to identify threat indicators and entities and responds to incidents in their entirety from a single portal. 


Flexible access to data in Microsoft Sentinel enables unconstrained hunting for both known and potential threats combining Microsoft 365 data with Azure and third-party data sources.  Microsoft Sentinel ingests these logs seamlessly from Microsoft 365 Defender and presents all tables as is in Microsoft Sentinel with a default retention period of 90 days (which can be extended). Customers can discover new and interesting ways to leverage this data with analytics tools available in our new unified SIEM+XDR GitHub community. 



Support for new hunting pages 


Microsoft Defender for Cloud Apps (MDA) and Data Loss Prevention (DLP)

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that operates across clouds. It provides rich visibility, policy-based control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services, including DLP data. 


Table Name 



The CloudAppEvents table in the advanced hunting schema contains information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps. 



Microsoft Defender for Identity (MDI) 

Microsoft Defender for Identity uses your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.  


Table Name 



The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Azure Active Directory. 


The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps. 


The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains. 


The IdentityDirectoryEvents table in the advanced hunting schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity. 



Alert Evidence 

TheAlertEvidencetable in theadvanced huntingschema contains information about various entities - files, IP addresses, URLs, users, or devices - associated with alerts from Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table. 






Looking Forward  

We are continuously improving this integration by adding more supported data types from Microsoft 365 Defender, such as Threat Vulnerability Management (TVM) data, and additional alert sources, such as DLP alerts and Azure Active Directory Identity Protection (AADIP) alerts, as part of Microsoft 365 Defender incidents. 



Further reading 

  • Documentation about how to connect Microsoft 365 Defender incidents and raw data to Microsoft Sentinel.  
  • Documentation for Microsoft 365 Defender.  
  • Documentation for all Microsoft 365 Defender raw data schemas.  
Posted at