Microsoft Purview Audit Log - Send Microsoft Defender XDR activities to Sentinel

Question

Microsoft Purview Audit Log - Send Microsoft Defender XDR activities to Sentinel

Tabea-6461 0

Hello everyone!

I would like to forward the Microsoft Defender XDR activities and Microsoft Defender for Identity activities (https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-defender-for-identity-activities)

from the Microsoft Purview Audit Log to Microsoft Sentinel. The activities are present in the Microsoft Purview Audit Log.

What is the best way to do this?

The data connector "Microsoft Purview Information Protection" does not collect these activities. I also can't find these logs in the OfficeActivity data table.

Many thanks in advance! :)

Smaran Thoomu 24,750 Reputation points Microsoft External Staff Moderator

2024-09-11T16:14:09.7066667+00:00

@Tabea-6461 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Smaran Thoomu 24,750 Reputation points Microsoft External Staff Moderator

2024-09-13T16:57:27.23+00:00

@Tabea-6461 Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Smaran Thoomu 24,750 Reputation points Microsoft External Staff Moderator

2024-09-11T16:14:09.7066667+00:00

@Tabea-6461 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Smaran Thoomu 24,750 Reputation points Microsoft External Staff Moderator

2024-09-13T16:57:27.23+00:00

@Tabea-6461 Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Smaran Thoomu 24,750 Microsoft External Staff Moderator

Hi @Tabea-6461

Thanks for reaching out to Microsoft Q&A.
To integrate Microsoft Purview Audit Log with Azure Sentinel for Microsoft Defender XDR activities, you can follow these steps:

Firstly, please note that the Microsoft Purview Audit Log does not currently support direct integration with Azure Sentinel. However, you can use the Azure Sentinel connector for Microsoft Defender to forward the activities to Azure Sentinel.

This means that you can leverage the Azure Sentinel connector for Microsoft Defender to forward the Microsoft Defender XDR activities and Microsoft Defender for Identity activities from the Microsoft Purview Audit Log to Azure Sentinel.

I hope this helps. Please let me know if you have any questions.

Tabea-6461 0 Reputation points

2024-09-12T06:16:53.8233333+00:00

Hi. Thanks for your answer. I was able to find the logs I was looking for under the data table: CloudAppEvents from the Defender XDR Connector.
Smaran Thoomu 24,750 Reputation points Microsoft External Staff Moderator

2024-09-12T06:27:48.84+00:00

@Tabea-6461 Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Microsoft Purview Audit Log - Send Microsoft Defender XDR activities to Sentinel

1 answer

Your answer