Microsoft Purview Audit Log - Send Microsoft Defender XDR activities to Sentinel

Tabea-6461 0 Reputation points
2024-09-10T06:17:20.61+00:00

Hello everyone!

I would like to forward the Microsoft Defender XDR activities and Microsoft Defender for Identity activities (https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-defender-for-identity-activities)

from the Microsoft Purview Audit Log to Microsoft Sentinel. The activities are present in the Microsoft Purview Audit Log.

What is the best way to do this?

The data connector "Microsoft Purview Information Protection" does not collect these activities. I also can't find these logs in the OfficeActivity data table.

Many thanks in advance! :)

Microsoft Security | Microsoft Purview
{count} votes

1 answer

Sort by: Most helpful
  1. Smaran Thoomu 24,750 Reputation points Microsoft External Staff Moderator
    2024-09-10T21:45:30.0566667+00:00

    Hi @Tabea-6461

    Thanks for reaching out to Microsoft Q&A.
    To integrate Microsoft Purview Audit Log with Azure Sentinel for Microsoft Defender XDR activities, you can follow these steps:

    Firstly, please note that the Microsoft Purview Audit Log does not currently support direct integration with Azure Sentinel. However, you can use the Azure Sentinel connector for Microsoft Defender to forward the activities to Azure Sentinel.

    This means that you can leverage the Azure Sentinel connector for Microsoft Defender to forward the Microsoft Defender XDR activities and Microsoft Defender for Identity activities from the Microsoft Purview Audit Log to Azure Sentinel.

    I hope this helps. Please let me know if you have any questions.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.