Microsoft 365 Defender incidents appear in the Microsoft Sentinel incidents queue, with Microsoft 365 Defender in the Product name field, shortly after they are generated in Microsoft 365 Defender. Install the Microsoft 365 Defender solution for Microsoft Sentinel and enable the Microsoft 365 Defender data connector to collect incidents and alerts. In-context deep link between a Microsoft Sentinel incident and its parallel Microsoft 365 Defender incident, to facilitate investigations across both portals. One-click connect of Microsoft 365 Defender incidents, including all alerts and entities from Microsoft 365 Defender components, into Microsoft Sentinel.īi-directional sync between Sentinel and Microsoft 365 Defender incidents on status, owner, and closing reason.Īpplication of Microsoft 365 Defender alert grouping and enrichment capabilities in Microsoft Sentinel, thus reducing time to resolve. The Microsoft 365 Defender connector is now generally available! Common use cases and scenarios It creates incidents from all of these alerts and sends them to Microsoft Sentinel. In addition to collecting alerts from these components and other services, Microsoft 365 Defender generates alerts of its own. Azure Active Directory Identity Protection (AADIP) ( Learn more).Microsoft Purview Data Loss Prevention (DLP) ( Learn more).Other services whose alerts are collected by Microsoft 365 Defender include: Microsoft Defender for Cloud Apps (MDA).Microsoft Defender for Office 365 (MDO).The component services that are part of the Microsoft 365 Defender stack are: Microsoft 365 Defender enriches and groups alerts from multiple Microsoft 365 products, both reducing the size of the SOC’s incident queue and shortening the time to resolve. At the same time, it allows you to take advantage of the unique strengths and capabilities of Microsoft 365 Defender for in-depth investigations and a Microsoft 365-specific experience across the Microsoft 365 ecosystem. This integration gives Microsoft 365 security incidents the visibility to be managed from within Microsoft Sentinel, as part of the primary incident queue across the entire organization, so you can see – and correlate – Microsoft 365 incidents together with those from all of your other cloud and on-premises systems. Once in Sentinel, incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of the benefits of both portals in your incident investigation. Incidents from Microsoft 365 Defender include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Microsoft Sentinel's Microsoft 365 Defender incident integration allows you to stream all Microsoft 365 Defender incidents into Microsoft Sentinel and keep them synchronized between both portals.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |