Manage security alerts in M365 Security Center or Sentinel or separately?

Luizao_f 1 Reputation point
2020-09-15T19:59:12.027+00:00

I am having some questions and would like to receive opinions that can contribute.

I have the solutions in my environment and I'm in doubt about how to centralize everything.

I have Azure Sentinel receiving the Defender Atp, MCASB, Azure ATp, Office 365 ATp logs, among others.

I also have MCAS integrated with Azure ATP.

The question is. Where should all technologies be centralized?

That is, if I use Microsoft 365 Security Center to centralize Defender ATP, Azure ATP, MCAS and Office ATP, does it still make sense to receive these logs in Sentinel?

Would it be possible to integrate alerts generated in Sentinel with Microsoft 365 Security Center?

If I receive the solution logs on Sentinel, what would be the meaning of Microsoft 365 Security Center? Can I work with both, centralizing the solutions in both?

I know that there may not be a final answer, but I would be happy to get your position.

Thank you.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
609 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
683 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 17,291 Reputation points Microsoft Employee
    2020-09-16T22:38:36.853+00:00

    @Luizao_f No, you cannot send Azure sentinel alerts to M365 Security Center. Defender ATP, ASC etc are different where not all alerts are synced across these security solutions. Also, these solutions are designed to generate logs for the specific investigations and perform tasks which they are designed for. Even if you get the solutions logs on Sentinel, you need to go back to actual source system to perform more investigations. Sentinel only provides you a single view of all the issues in your environment, however, for investigations you may need to go to the actual system.
    Like you said there is no definite approach defined for all these however, you can refer to this external blog - Microsoft 365 – Security Monitoring which will provide you high level overview of evaluating security solutions for your environment which may help you decide on what approach you want to have for your environment.