Welcome to connecting Azure Sentinel to Microsoft 365. In this lesson, will take a look at the different Microsoft 365 services that Azure Sentinel can be connected to.

Now, before we get into the specifics of each of the Microsoft 365 services, let’s just take a quick look at the generic overview process of how Azure Sentinel connects to data sources.

We’ve already established that Azure Sentinel pulls data in from different services and apps by connecting to them and then forwarding events and logs into Azure Sentinel. To connect to the different data sources in your environment, including Microsoft 365 data sources, you use the data connectors page in Azure Sentinel. From the data connectors page, you can open the data connectors, gallery, which is a list of all of the different data sources that you can connect to. From here, you can select the data source you are most interested in. Once you connect Azure Sentinel to your data source, you can then stream logs from that data source into Azure Sentinel.

Azure Sentinel comes with a Microsoft 365 defender connector. This allows you to connect Azure Sentinel to Microsoft 365 defender, which was actually formerly known as Microsoft threat protection. This connector includes incident integration and allows you to stream all Microsoft 365 defender incidents and alerts into Azure Sentinel. It also ensures that the incidents between both portals, meaning the Microsoft 365 defender portal and Azure Sentinel are synchronized.

The Microsoft 365 defender connector also allows you to stream advanced hunting events from Microsoft defender for endpoint into Azure Sentinel as well.

Visit the URL on your screen to read more about integration with Microsoft 365 defender:

https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender

Another Microsoft 365 service that you can connect to from Azure Sentinel is Microsoft defender for endpoint. Azure Sentinel’s Microsoft defender for endpoint connector can be used to stream alerts from Microsoft defender for endpoint into Azure Sentinel. This allows you to analyze security events across the organization, and it also allows you to build playbooks to facilitate a more effective and immediate response to threats.

The URL on your screen provides more information about integration with Microsoft defender for endpoint:

https://docs.microsoft.com/azure/sentinel/connect-microsoft-defender-advanced-threat-protection

Azure Sentinel’s office 365 log connector allows you to pull in ongoing user and admin activities in exchange, SharePoint, one drive, and teams into Azure Sentinel. The information that gets pulled in includes things like file downloads, access requests sent, mailbox operations, team events, and many other important bits of office 365 information. When you connect office 365 logs to Azure Sentinel, you can view and analyze all of this data in workbooks, you can create custom alerts, and you can incorporate the data into existing investigation processes.

Visit the URL on your screen to read more about integrating office 365 logs and Azure Sentinel:

https://docs.microsoft.com/azure/sentinel/connect-office-365

You can also connect Azure Sentinel to Microsoft defender for office 365. Microsoft defender for office 365 was formerly known as office 365 advanced threat protection. Now, I’m not going to go into details on this offering because, at the time of this course creation, the ingestion of Microsoft defender for office 365 alerts is in public preview. Since it’s in public preview, things could change.

To read all about integration with Microsoft defender for office 365, visit the URL that you see on your screen:

https://docs.microsoft.com/azure/sentinel/connect-office-365-advanced-threat-protection

Join me in the next lesson, where I’ll show you how to connect office 365 logs to Azure Sentinel.