Connect Microsoft Defender for Office 365 to Microsoft Sentinel

You can ingest your Microsoft Defender for Office 365 data (and data from the rest of the Microsoft Defender XDR suite), including incidents, into Microsoft Sentinel.

Take advantage of rich security information events management (SIEM) combined with data from other Microsoft 365 sources, synchronization of incidents and alerts, and advanced hunting.

What you need

• Microsoft Defender for Office 365 Plan 2 or higher. (Included in E5 plans)
• Microsoft Sentinel Quickstart guide.
• Sufficient permissions (Security Administrator in Microsoft 365 & Read / Write permissions in Sentinel).

Add the Microsoft Defender XDR Connector

1. Sign in to the Azure portal and navigate to Microsoft Sentinel > Pick the relevant workspace to integrate with Microsoft Defender XDR.
2. In the navigation pane, under Configuration, go to Data connectors.
3. When the page loads, search for Microsoft Defender XDR and select the Microsoft Defender XDR connector.
4. On the right-hand flyout, select Open Connector Page.
5. Under the Configuration section of the page that loads, select Connect incidents & alerts, leaving Turn off all Microsoft incident creation rules for these products selected.
6. Scroll to Microsoft Defender for Office 365 in the Connect events section of the page. Select EmailEvents, EmailUrlInfo, EmailAttachmentInfo & EmailPostDeliveryEvents then Apply Changes at the bottom of the page. (Choose tables from other Defender products if helpful and applicable, during this step.)

Next Steps

Admins are now able to see incidents, alerts, and raw data in Microsoft Sentinel and use this data for advanced hunting, pivoting on existing and new data from Microsoft Defender.

More Information

Connect Microsoft Defender XDR data to Microsoft Sentinel | Microsoft Docs.

Connect Microsoft Teams to Microsoft Sentinel.