{"id":5082,"date":"2024-05-07T11:00:32","date_gmt":"2024-05-07T18:00:32","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=5082"},"modified":"2024-05-07T11:00:34","modified_gmt":"2024-05-07T18:00:34","slug":"how-to-connect-microsoft-defender-xdr-to-microsoft-sentinel","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=5082","title":{"rendered":"How to Connect Microsoft Defender XDR to Microsoft Sentinel"},"content":{"rendered":"\n<p>Microsoft Sentinel&#8217;s&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/mtp\/microsoft-threat-protection\">Microsoft Defender XDR<\/a>&nbsp;connector with incident integration allows you to stream all Microsoft Defender XDR incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft Defender XDR incidents include all their alerts, entities, and other relevant information. They also include alerts from Microsoft Defender XDR&#8217;s component services&nbsp;<strong>Microsoft Defender for Endpoint<\/strong>,&nbsp;<strong>Microsoft Defender for Identity<\/strong>,&nbsp;<strong>Microsoft Defender for Office 365<\/strong>, and&nbsp;<strong>Microsoft Defender for Cloud Apps<\/strong>, as well as alerts from other services such as&nbsp;<strong>Microsoft Purview Data Loss Prevention<\/strong>&nbsp;and&nbsp;<strong>Microsoft Entra ID Protection<\/strong>. The Microsoft Defender XDR connector also brings incidents from&nbsp;<strong>Microsoft Defender for Cloud<\/strong>, although in order to synchronize alerts and entities from these incidents, you must enable the Microsoft Defender for Cloud connector, otherwise your Microsoft Defender for Cloud incidents will appear empty. Learn more about the available connectors for&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/ingest-defender-for-cloud-incidents\">Microsoft Defender for Cloud<\/a>.<\/p>\n\n\n\n<p>The connector also lets you stream&nbsp;<strong>advanced hunting<\/strong>&nbsp;events from&nbsp;<em>all<\/em>&nbsp;of the above Defender components into Microsoft Sentinel, allowing you to copy those Defender components&#8217; advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components&#8217; raw event data to provide additional insights, and store the logs with increased retention in Log Analytics.<\/p>\n\n\n\n<p>For more information about incident integration and advanced hunting event collection, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/microsoft-365-defender-sentinel-integration#advanced-hunting-event-collection\">Microsoft Defender XDR integration with Microsoft Sentinel<\/a>.<\/p>\n\n\n\n<p>The Microsoft Defender XDR connector is now generally available.<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/security\/fundamentals\/feature-availability\">Cloud feature availability for US Government customers<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#prerequisites\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You must have a valid license for Microsoft Defender XDR, as described in&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/mtp\/prerequisites\">Microsoft Defender XDR prerequisites<\/a>.<\/li>\n\n\n\n<li>Your user must be assigned the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/roles\/permissions-reference#global-administrator\">Global Administrator<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/roles\/permissions-reference#security-administrator\">Security Administrator<\/a>&nbsp;roles on the tenant you want to stream the logs from.<\/li>\n\n\n\n<li>Your user must have read and write permissions on your Microsoft Sentinel workspace.<\/li>\n\n\n\n<li>To make any changes to the connector settings, your user must be a member of the same Microsoft Entra tenant with which your Microsoft Sentinel workspace is associated.<\/li>\n\n\n\n<li>Install the solution for&nbsp;<strong>Microsoft Defender XDR<\/strong>&nbsp;from the&nbsp;<strong>Content Hub<\/strong>&nbsp;in Microsoft Sentinel. For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/sentinel-solutions-deploy\">Discover and manage Microsoft Sentinel out-of-the-box content<\/a>.<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#prerequisites-for-active-directory-sync-via-mdi\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"prerequisites-for-active-directory-sync-via-mdi\">Prerequisites for Active Directory sync via MDI<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your tenant must be onboarded to Microsoft Defender for Identity.<\/li>\n\n\n\n<li>You must have the MDI sensor installed.<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#connect-to-microsoft-defender-xdr\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"connect-to-microsoft-defender-xdr\">Connect to Microsoft Defender XDR<\/h2>\n\n\n\n<p>In Microsoft Sentinel, select&nbsp;<strong>Data connectors<\/strong>, select&nbsp;<strong>Microsoft Defender XDR<\/strong>&nbsp;from the gallery and select&nbsp;<strong>Open connector page<\/strong>.<\/p>\n\n\n\n<p>The&nbsp;<strong>Configuration<\/strong>&nbsp;section has three parts:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#connect-incidents-and-alerts\"><strong>Connect incidents and alerts<\/strong><\/a>&nbsp;enables the basic integration between Microsoft Defender XDR and Microsoft Sentinel, synchronizing incidents and their alerts between the two platforms.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#connect-entities\"><strong>Connect entities<\/strong><\/a>&nbsp;enables the integration of on-premises Active Directory user identities into Microsoft Sentinel through Microsoft Defender for Identity.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#connect-events\"><strong>Connect events<\/strong><\/a>&nbsp;enables the collection of raw advanced hunting events from Defender components.<\/li>\n<\/ol>\n\n\n\n<p>These are explained in greater detail below. See&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/microsoft-365-defender-sentinel-integration\">Microsoft Defender XDR integration with Microsoft Sentinel<\/a>&nbsp;for more information.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#connect-incidents-and-alerts\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"connect-incidents-and-alerts\">Connect incidents and alerts<\/h3>\n\n\n\n<p>To ingest and synchronize Microsoft Defender XDR incidents, with all their alerts, to your Microsoft Sentinel incidents queue:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Mark the check box labeled&nbsp;<strong>Turn off all Microsoft incident creation rules for these products. Recommended<\/strong>, to avoid duplication of incidents.<br>(This check box will not appear once the Microsoft Defender XDR connector is connected.)<\/li>\n\n\n\n<li>Select the&nbsp;<strong>Connect incidents &amp; alerts<\/strong>&nbsp;button.<\/li>\n<\/ol>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>When you enable the Microsoft Defender XDR connector, all of the Microsoft Defender XDR components\u2019 connectors (the ones mentioned at the beginning of this article) are automatically connected in the background. In order to disconnect one of the components\u2019 connectors, you must first disconnect the Microsoft Defender XDR connector.<\/p>\n\n\n\n<p>To query Microsoft Defender XDR incident data, use the following statement in the query window:<\/p>\n\n\n\n<p>KustoCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityIncident\n| where ProviderName == \"Microsoft 365 Defender\"\n<\/code><\/pre>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#connect-entities\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"connect-entities\">Connect entities<\/h3>\n\n\n\n<p>Use Microsoft Defender for Identity to sync user entities from your on-premises Active Directory to Microsoft Sentinel.<\/p>\n\n\n\n<p>Verify that you&#8217;ve satisfied the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE#prerequisites-for-active-directory-sync-via-mdi\">prerequisites<\/a>&nbsp;for syncing on-premises Active Directory users through Microsoft Defender for Identity (MDI).<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Select the&nbsp;<strong>Go the UEBA configuration page<\/strong>&nbsp;link.<\/li>\n\n\n\n<li>In the&nbsp;<strong>Entity behavior configuration<\/strong>&nbsp;page, if you haven&#8217;t yet enabled UEBA, then at the top of the page, move the toggle to&nbsp;<strong>On<\/strong>.<\/li>\n\n\n\n<li>Mark the\u00a0<strong>Active Directory (Preview)<\/strong>\u00a0check box and select\u00a0<strong>Apply<\/strong>.<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/media\/connect-microsoft-365-defender\/ueba-configuration-page.png\" alt=\"Screenshot of UEBA configuration page for connecting user entities to Sentinel.\"><\/li>\n<\/ol>\n\n\n\n<p>Ref: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-microsoft-365-defender?tabs=MDE\">Connect Microsoft Defender XDR data to Microsoft Sentinel | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Sentinel&#8217;s&nbsp;Microsoft Defender XDR&nbsp;connector with incident integration allows you to stream all Microsoft Defender XDR incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft Defender XDR incidents include all their alerts, entities, and other relevant information. They also include alerts from Microsoft Defender XDR&#8217;s component services&nbsp;Microsoft Defender for Endpoint,&nbsp;Microsoft <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=5082\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1249,10],"tags":[1779,1778],"class_list":["post-5082","post","type-post","status-publish","format-standard","hentry","category-azure-microsoft","category-microsoft","tag-connect-microsoft-defender-with-microsoft-sentinel","tag-connect-microsoft-defender-xdr-to-microsoft-sentinel"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/5082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5082"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/5082\/revisions"}],"predecessor-version":[{"id":5083,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/5082\/revisions\/5083"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}