top of page

Azure Sentinel Defender Connectors Explained.

Updated: Mar 28, 2021

I have been working on the Sentinel for quite a long. Off late I got a task to explore the Defender Connectors. When I looked first into the connectors and checked for it, I found many defender connectors.

There seems to be individual connector for Endpoint, Identity and Office 365. Also there is one more connector called “Microsoft 365 Defender (Preview)” when I went inside this connector I saw that this connector will bring the telemetry for “Microsoft Defender for Endpoints” “Microsoft Defender for Office 365”, “Microsoft Defender for Identity”, “Microsoft Cloud App Security” .

So, I was bit confused. If Microsoft 365 Defender(Preview) can bring the data for everything then why we have so many other connectors like Defender for Endpoint, Defender for Identity, Defender for Office 365.

Later I found the answer by approaching Microsoft.

The Microsoft 365 Defender collector is going to raw logs from the four security platforms. Additionally, this connector is bi-directional meaning it closes the alert/incident at both sides. This connector can data for the datatypes:

But, the individual connectors for each security platform (Defender for Endpoint, Defender for Identity, Defender for Office 365), collect Alerts only. If you only wants alerts to be forwarded to sentinel then use these individual connectors.

1,230 views0 comments

Recent Posts

See All

Optimizing Microsoft Sentinel (SIEM) Environment

In the ever-evolving landscape of cybersecurity, the importance of a well-optimized Sentinel Environment cannot be overstated. As threats continue to morph and adapt, security teams must engage in a c


bottom of page