Connect alerts from Microsoft Defender for Office 365
Microsoft Defender for Office 365 was formerly known as Office 365 Advanced Threat Protection (ATP).
You may see the old name still in use in the product (including its data connector in Azure Sentinel) for a period of time.
Microsoft Defender for Office 365 safeguards your organization against zero-day and other advanced threats posed by unknown malware in email messages, malicious URL links, and collaboration tools. By ingesting Microsoft Defender for Office 365 alerts into Azure Sentinel, you'll be able to utilize information about email-, file sharing-, and URL-based threats in your security operations. You can then more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
The connector imports the following alerts:
A potentially malicious URL click was detected
Email messages containing malware removed after delivery
Email messages containing phish URLs removed after delivery
Email reported by user as malware or phish
Suspicious email sending patterns detected
User restricted from sending email
These alerts can be seen by Office customers in the Office Security and Compliance Center.
You must have read and write permissions on the Azure Sentinel workspace when you enable the connector.
You must be a Global Administrator or a Security Administrator on the Azure Sentinel workspace's tenant.
You must have a valid license for Office 365 ATP Plan 2 (included with the Office 365 E5, Office 365 A5, and Microsoft 365 E5 licenses, and available for purchase separately).
Connect to Microsoft Defender for Office 365
If Microsoft Defender for Office 365 is deployed, and if policies have been configured, the alerts can easily be ingested into Azure Sentinel.
In Azure Sentinel, select Data connectors from the navigation menu.
Select Microsoft Defender for Office 365 (may still be called Office 365 Advanced Threat Protection) in the connectors gallery, and select Open connector page.
In the Configuration section, click Connect.
In the Create incidents section, click Enable.
To use the relevant schema to query Office 365 ATP alerts, search for SecurityAlert and specify the Provider name as OATP.
Select the Next steps tab to see and use the query samples and analytics rule templates bundled with the Microsoft Defender for Office 365 connector.
In this document, you learned how to connect Microsoft Defender for Office 365 to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.