Connect data from Microsoft Defender XDR to Microsoft Sentinel
Article
Applies to:
Microsoft Sentinel in the Azure portal, Microsoft Sentinel with Defender XDR in the Microsoft Defender portal
The Microsoft Defender XDR connector for Microsoft Sentinel allows you to stream all Microsoft Defender XDR incidents, alerts, and advanced hunting events into Microsoft Sentinel. This connector keeps the incidents synchronized between both portals. Microsoft Defender XDR incidents include alerts, entities, and other relevant information from all the Microsoft Defender products and services. For more information, see Microsoft Defender XDR integration with Microsoft Sentinel.
The Defender XDR connector, especially its incident integration feature, is the foundation of Microsoft's unified security operations platform. If you're onboarding Microsoft Sentinel to the Microsoft Defender portal, you must first enable this connector with incident integration.
Important
Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Prerequisites
Before you begin, you must have the appropriate licensing, access, and configured resources described in this section.
Your user must have the Security Administrator role on the tenant you want to stream the logs from, or the equivalent permissions.
You must have read and write permissions on your Microsoft Sentinel workspace.
To make any changes to the connector settings, your account must be a member of the same Microsoft Entra tenant with which your Microsoft Sentinel workspace is associated.
For on-premises Active Directory sync via Microsoft Defender for Identity:
Your tenant must be onboarded to Microsoft Defender for Identity.
You must have the Microsoft Defender for Identity sensor installed.
Connect to Microsoft Defender XDR
In Microsoft Sentinel, select Data connectors. Select Microsoft Defender XDR from the gallery and Open connector page.
The Configuration section has three parts:
Connect incidents and alerts enables the basic integration between Microsoft Defender XDR and Microsoft Sentinel, synchronizing incidents and their alerts between the two platforms.
Connect entities enables the integration of on-premises Active Directory user identities into Microsoft Sentinel through Microsoft Defender for Identity.
Connect events enables the collection of raw advanced hunting events from Defender components.
To ingest and synchronize Microsoft Defender XDR incidents with all their alerts to your Microsoft Sentinel incidents queue, complete the following steps.
Mark the check box labeled Turn off all Microsoft incident creation rules for these products. Recommended, to avoid duplication of incidents. This check box doesn't appear once the Microsoft Defender XDR connector is connected.
Select the Connect incidents & alerts button.
Verify that Microsoft Sentinel is collecting Microsoft Defender XDR incident data. In Microsoft Sentinel Logs in the Azure portal, run the following statement in the query window:
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
When you enable the Microsoft Defender XDR connector, any Microsoft Defender components’ connectors that were previously connected are automatically disconnected in the background. Although they continue to appear connected, no data flows through them.
Connect entities
Use Microsoft Defender for Identity to sync user entities from your on-premises Active Directory to Microsoft Sentinel.
Select the Go the UEBA configuration page link.
In the Entity behavior configuration page, if you didn't enable UEBA, then at the top of the page, move the toggle to On.
Mark the Active Directory (Preview) check box and select Apply.
Connect events
If you want to collect advanced hunting events from Microsoft Defender for Endpoint or Microsoft Defender for Office 365, the following types of events can be collected from their corresponding advanced hunting tables.
Mark the check boxes of the tables with the event types you wish to collect:
Various identity-related events, like password changes, password expirations, and user principal name (UPN) changes, captured from an on-premises Active Directory domain controller
Also includes system events on the domain controller
Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization
Information about various entities - files, IP addresses, URLs, users, devices - associated with alerts from Microsoft Defender XDR components
Select Apply Changes.
To run a query in the advanced hunting tables in Log Analytics, enter the table name in the query window.
Verify data ingestion
The data graph in the connector page indicates that you're ingesting data. Notice that it shows one line each for incidents, alerts, and events, and the events line is an aggregation of event volume across all enabled tables. After you enable the connector, use the following KQL queries to generate more specific graphs.
Use the following KQL query for a graph of the incoming Microsoft Defender XDR incidents:
let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart
Use the following KQL query to generate a graph of event volume for a single table (change the DeviceEvents table to the required table of your choosing):
let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
DeviceEvents
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart
Next steps
In this document, you learned how to integrate Microsoft Defender XDR incidents, alerts, and advanced hunting event data from Microsoft Defender services, into Microsoft Sentinel, by using the Microsoft Defender XDR connector.