This article is contributed. See the original author and article here.

Harness the breadth and depth of integrated SIEM and XDR with new Microsoft 365 integration 


Building on our promise for a modernized approach to threat protection with integrated SIEM and XDR, we are happy to share a deeper integration between Azure Sentinel and Microsoft 365 Defender, making it easier than ever to harness the breadth of SIEM alongside the depth of XDR.  




Now in public preview, Microsoft 365 Defender incidents are fully integrated with Azure Sentinel, providing a seamless experience for responding to security threats. Incidents from M365D (formerly known as Microsoft Threat Protection or MTP) including all associated alerts, entities, and relevant information, can be streamed to Azure Sentinel, providing you with enough context to perform triage in Azure Sentinel. Once in Sentinel, Incidents will remain bi-directionally synced with M365D, allowing you to take advantage of the benefits of both portals in your incident investigation and response process. 


This integration allows you to manage M365D incidents from Azure Sentinel, as the primary incident queue across the entire organization, so you can see – and correlate – M365 incidents together with those from all of your other cloud and on-premises systems. At the same time, it allows you to seamlessly leverage the unique strengths and capabilities of M365D for in-depth investigationsM365 Defender enriches and groups alerts from multiple M365 products, both reducing the size of the SOC’s incident queue and shortening the time to resolve. The component services that are part of the M365 Defender stack are: 


  • Microsoft Defender for Endpoint (MDE, formerly MDATP) 

  • Microsoft Defender for Identity (MDI, formerly AATP) 

  • Microsoft Defender for O365 (MDO, formerly O365ATP) 

  • Microsoft Cloud App Security (MCAS) 

In addition to collecting alerts from these components, M365 Defender generates alerts of its own. 


Common use cases and scenarios 

  • One-click ingestion of M365 Defender incidents, including all alerts and entities from M365 security products, into Azure Sentinel leveraging a shared schema. 

  • Leverage M365 Defender alert grouping and enrichment capabilities in Azure Sentinel, thus reducing time to resolve. 

  • Immediate Bi-directional sync between Azure Sentinel and M365D incidents on status, owner and closing reason. 

  • In-context deep link between a Sentinel and M365 Defender incident, using the same credentials, to facilitate investigations across both portals. 


Further reading 

  • Our Ignite session, featuring a demo of this integration in action 

  • Documentation with detailed information on the integration, common use cases and limitations. 

  • Documentation on how to connect M365D incidents and raw data to Azure Sentinel. 

  • Documentation on Microsoft 365 Defender. 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: