Many of you have been waiting for Microsoft to take the wraps off the ability to connect Microsoft 365 Defender to Azure Sentinel so that the Microsoft 365 Defender Incidents will appear in the incidents queue.
This is also the capability that allows bi-directional synching between both products, i.e., close an incident in one, the related incident is auto-closed in the other. For full context for what enabling this provides, see: What’s new: Azure Sentinel and Microsoft 365 Defender incident integration – Microsoft Tech Community
To enable it
Open the Microsoft 365 Defender (Preview) Connector in Azure Sentinel, and in the Configuration area click the Connect Incidents & alerts button. Make sure to keep the “Turn off all Microsoft incident creation rules for these products. Recommended.” option. This ensures dupes aren’t generated in the system.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
