I’ve spent a good amount of time so far on this blog talking about steps on how to eliminate extra noise in Azure Sentinel. But, reading through the updated docs for the new integration between Azure Sentinel and Microsoft 365 Defender, there’s a section that sticks out related to this that I didn’t want anyone to miss.
So, I’ll just repurpose it here:
- Incidents generated by M365 Defender, on the basis of alerts coming from M365 security products, are created using custom M365 logic.
- Microsoft incident-creation rules in Azure Sentinel also create incidents from the same alerts, using (a different) custom Azure Sentinel logic.
- Using both mechanisms together is completely supported, and this configuration can be used to facilitate the transition to the new M365 Defender incident creation logic. This will, however, create duplicate incidents for the same alerts.
- To avoid creating duplicate incidents for the same alerts, we recommend that customers turn off all Microsoft incident creation rules for M365 products (MDE, MDI, and MDO – see MCAS below) when connecting M365 Defender. This can be done by marking the relevant check box in the connector page. Keep in mind that if you do this, any filters that were applied by the incident creation rules will not be applied to M365 Defender incident integration.
- For Microsoft Cloud App Security (MCAS) alerts, not all alert types are currently onboarded to M365 Defender. To make sure you are still getting incidents for all MCAS alerts, you must keep or create Microsoft incident creation rules for the alert types not onboarded to M365D.
Exciting times are ahead with all the enhanced goodness on the way for our security products. We just have to make sure to capture some of the nuances to ensure the experience is always a good one.