Muokkaa

Jaa


Support for Microsoft Defender XDR connector data types in different clouds

The type of cloud your environment uses affects Microsoft Sentinel's ability to ingest and display data from these connectors, like logs, alerts, device events, and more. This article describes support for different Microsoft Defender XDR connector data types in Microsoft Sentinel across different clouds, including Commercial, GCC, GCC-High, and DoD.

Read more about data type support for different clouds in Microsoft Sentinel.

Connector data

Incidents

Data type Commercial / GCC
(Azure Commercial)
GCC-High / DoD
(Azure Government)
Incidents Generally available Generally available

Alerts

From Microsoft Defender XDR

Data type Commercial / GCC
(Azure Commercial)
GCC-High / DoD
(Azure Government)
Microsoft Defender XDR alerts: SecurityAlert Generally available Public preview

From standalone component connectors

Data type Commercial GCC GCC-High / DoD
Microsoft Defender for Endpoint: SecurityAlert (MDATP) Generally available Generally available Generally available
Microsoft Defender for Office 365: SecurityAlert (OATP) Public preview Public preview Public preview
Microsoft Defender for Identity: SecurityAlert (AATP) Generally available Unsupported Unsupported
Microsoft Defender for Cloud Apps: SecurityAlert (MCAS) Generally available Generally available Unsupported
Microsoft Defender for Cloud Apps: McasShadowItReporting Generally available Generally available Unsupported

Raw event data

Microsoft Defender for Endpoint

Data type Commercial / GCC
(Azure Commercial)
GCC-High / DoD
(Azure Government)
DeviceInfo Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceNetworkInfo Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceProcessEvents Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceNetworkEvents Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceFileEvents Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceRegistryEvents Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceLogonEvents Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceImageLoadEvents Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceEvents Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview
DeviceFileCertificateInfo Generally available Microsoft Defender XDR: Generally available
Microsoft Sentinel: Public preview

Microsoft Defender for Identity

Data type Commercial / GCC
(Azure Commercial)
GCC-High / DoD
(Azure Government)
IdentityDirectoryEvents Generally available Unsupported
IdentityLogonEvents Generally available Unsupported
IdentityQueryEvents Generally available Unsupported

Microsoft Defender for Cloud Apps

Data type Commercial / GCC
(Azure Commercial)
GCC-High / DoD
(Azure Government)
CloudAppEvents Generally available Unsupported

Microsoft Defender for Office 365

Data type Commercial / GCC
(Azure Commercial)
GCC-High / DoD
(Azure Government)
EmailEvents Generally available Public preview
EmailAttachmentInfo Generally available Public preview
EmailUrlInfo Generally available Public preview
EmailPostDeliveryEvents Generally available Public preview
UrlClickEvents Generally available Public preview

Alerts

Data type Commercial / GCC
(Azure Commercial)
GCC-High / DoD
(Azure Government)
AlertInfo Generally available Public preview
AlertEvidence Generally available Public preview

Next steps

In this article, you learned which Microsoft Defender XDR connector data types are supported in Microsoft Sentinel for different cloud environments.