Can Azure Sentinel receive data from Microsoft 365 Defender from multiple organizations?

Question

Can I use Azure Sentinel to receive data from Microsoft 365 Defender from multiple organizations, or can Azure Sentinel only receive data from Microsoft 365 Defender within its own organization?

我想要使用Azure Sentinel接收多個組織的Microsoft 365 Defender資料，可以這樣做嗎? 還是Azure Sentinel只能接收自己組織中的Microsoft 365 Defender資料?

Answer 1

Hi David,

If by organizations you mean Azure tenants, then you will need to use Azure Lighthouse.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-azure-lighthouse-and-azure-sentinel-to-investigate-attacks/ba-p/1043899

https://www.youtube.com/watch?v=IrqkHOPFktM&ab_channel=JohnSavill%27sTechnicalTraining

If you're dealing with multiple log analytics workspaces within a single tenant AND multiple tenants, look at Workspace Manager - this is new for 2023.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/rsac-2023-microsoft-sentinel-empowering-the-soc-with-next-gen/ba-p/3803613

Answer 2

Each M365D environment can be linked to one AAD Tennant. The Sentinel connector integrates the M365D in the same tenant. So you can only connect to one M365D from the Sentinel connector. This includes 2-way integration, retaining the alert grouping, with a link back to the M365D portal, and the E5 discount.

MDE does support SIEM integration. You could use the 3rd party SIEM methods to bring M365D tables or alerts into Sentinel. Though you wouldn't have all of the functionality of the native connector.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-siem?