Updated: Mar 28
I have been working on the Sentinel for quite a long. Off late I got a task to explore the Defender Connectors. When I looked first into the connectors and checked for it, I found many defender connectors.
There seems to be individual connector for Endpoint, Identity and Office 365. Also there is one more connector called “Microsoft 365 Defender (Preview)” when I went inside this connector I saw that this connector will bring the telemetry for “Microsoft Defender for Endpoints” “Microsoft Defender for Office 365”, “Microsoft Defender for Identity”, “Microsoft Cloud App Security” .
So, I was bit confused. If Microsoft 365 Defender(Preview) can bring the data for everything then why we have so many other connectors like Defender for Endpoint, Defender for Identity, Defender for Office 365.
Later I found the answer by approaching Microsoft.
The Microsoft 365 Defender collector is going to raw logs from the four security platforms. Additionally, this connector is bi-directional meaning it closes the alert/incident at both sides. This connector can data for the datatypes:
But, the individual connectors for each security platform (Defender for Endpoint, Defender for Identity, Defender for Office 365), collect Alerts only. If you only wants alerts to be forwarded to sentinel then use these individual connectors.Microsoft Defender for Endpoint SecurityAlert | where ProviderName == “MDATP“Microsoft Defender for Identity (Preview) SecurityAlert | where ProductName == “Azure Advanced Threat Protection” Microsoft Defender for Office 365 (Preview)SecurityAlert | where ProviderName == “OATP“