Microsoft 365 Defender integration with Azure Sentinel


The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

The Microsoft 365 Defender connector for Azure Sentinel (preview) sends all Microsoft 365 Defender incidents and alerts information to Azure Sentinel and keeps the incidents synchronized.

Once you add the connector, Microsoft 365 Defender incidents—which include all associated alerts, entities, and relevant information received from Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Cloud App Security—are streamed to Azure Sentinel as security information and event management (SIEM) data, providing you with context to perform triage and incident response with Azure Sentinel.

Once in Azure Sentinel, incidents remain bi-directionally synchronized with Microsoft 365 Defender, allowing you to take advantage of the benefits of both the Microsoft 365 Defender portal and Azure Sentinel in the Azure portal for incident investigation and response.

Watch this short overview of Azure Sentinel integration with Microsoft 365 Defender (4 minutes).

Here's how it works.

The flow and sharing of incident data between Microsoft 365 Defender and Azure Sentinel.

Next steps

  1. Get a deeper understanding of Microsoft 365 Defender integration with Azure Sentinel.
  2. Connect data from Microsoft 365 Defender to Azure Sentinel.

See also