5.6 Enabling the M365 Defender Connector

90 minutes · Module 5

Enabling the M365 Defender Connector

By the end of this subsection, you will have connected the M365 Defender data connector to your Sentinel workspace and verified data is flowing into the expected tables.

This is the single most important data connector for this course. It brings all Defender XDR data — endpoint, email, identity, cloud app — into your Sentinel workspace for custom analytics rules, cross-source hunting, and automated response.

What the connector ingests

Table group	Tables	Source product
Device telemetry	DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceEvents	Defender for Endpoint
Email telemetry	EmailEvents, EmailUrlInfo, EmailAttachmentInfo, EmailPostDeliveryEvents, UrlClickEvents	Defender for Office 365
Identity telemetry	IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents	Defender for Identity
Cloud app telemetry	CloudAppEvents	Defender for Cloud Apps
Alert/incident data	AlertInfo, AlertEvidence	Defender XDR (cross-product)

Configuration walkthrough

In the Sentinel portal, navigate to Configuration → Data connectors
Search for “Microsoft Defender XDR” (formerly Microsoft 365 Defender)
Click Open connector page
Under Connect incidents and alerts, toggle to On — this sends Defender XDR incidents to your Sentinel incident queue
Under Connect events, select which raw event tables to ingest:

Do not enable every table blindly

DeviceFileEvents, DeviceRegistryEvents, and DeviceImageLoadEvents generate massive volume (see the cost analysis in 5.4). Start with the tables you will build detection rules against, then add others as needed. You can always enable additional tables later.

Recommended initial selection:

DeviceProcessEvents — essential for endpoint investigation
DeviceNetworkEvents — essential for C2 and data exfiltration detection
DeviceLogonEvents — essential for lateral movement detection
EmailEvents — essential for phishing investigation
EmailUrlInfo — URL analysis in phishing campaigns
UrlClickEvents — Safe Links click tracking
CloudAppEvents — inbox rules, OAuth grants, cloud app activity
IdentityLogonEvents — on-premises AD sign-in activity
AlertInfo + AlertEvidence — cross-product alert data

Defer initially (enable when needed):

DeviceFileEvents — high volume, enable for specific investigations
DeviceRegistryEvents — high volume, enable for malware analysis
DeviceImageLoadEvents — very high volume, enable for DLL sideloading hunts

Click Apply Changes

Data begins flowing within 5-10 minutes. The connector status changes to “Connected.”

Verification queries

After enabling the connector, verify data is flowing into each table:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// Check which M365 Defender tables have recent data
union withsource=TableName
    DeviceProcessEvents,
    DeviceNetworkEvents,
    DeviceLogonEvents,
    EmailEvents,
    CloudAppEvents,
    AlertInfo
| where TimeGenerated > ago(1h)
| summarize EventCount = count(), LastEvent = max(TimeGenerated) by TableName
| sort by TableName asc

Expected Output

TableName	EventCount	LastEvent
AlertInfo	3	2026-03-21 14:28
CloudAppEvents	247	2026-03-21 14:31
DeviceLogonEvents	1,842	2026-03-21 14:32
DeviceNetworkEvents	5,621	2026-03-21 14:32
DeviceProcessEvents	3,417	2026-03-21 14:32
EmailEvents	892	2026-03-21 14:30

What to look for: Every enabled table should show recent events. If a table shows 0 events, either it was not enabled in the connector, the source product is not generating events (no email activity = no EmailEvents), or there is an ingestion delay. Allow up to 15 minutes for initial data flow after enabling the connector.

Ingestion latency check:

1
2
3
4
5
6
7
EmailEvents
| where TimeGenerated > ago(1h)
| extend IngestionDelay = ingestion_time() - TimeGenerated
| summarize
    AvgDelaySeconds = round(avg(IngestionDelay) / 1s, 0),
    MaxDelaySeconds = round(max(IngestionDelay) / 1s, 0),
    P95DelaySeconds = round(percentile(IngestionDelay, 95) / 1s, 0)

Expected Output

AvgDelaySeconds	MaxDelaySeconds	P95DelaySeconds
45	180	90

What to look for: Average ingestion delay under 60 seconds is normal. P95 under 2 minutes is healthy. If you see delays over 5 minutes consistently, check the connector health page and the Azure Service Health dashboard. High latency means your NRT analytics rules fire late — a 5-minute delay on a phishing detection means 5 extra minutes of exposure.

Check your understanding

1. Why start with a subset of Defender tables instead of enabling everything?

Cost control — high-volume tables like DeviceFileEvents and DeviceRegistryEvents can double your ingestion volume without providing proportional detection value. Enable them selectively when you have a specific detection rule or investigation that requires them.

Sentinel cannot handle all tables simultaneously

Microsoft recommends it

Every enabled table incurs ingestion cost. Tables like DeviceFileEvents generate 10-50 GB/day in a 500-seat org. If you do not have analytics rules querying that table, you are paying for data you are not using. Start lean, expand when you have a specific use case.

2. Your ingestion latency check shows an average delay of 8 minutes. What is the impact?

No impact — latency is normal

NRT analytics rules that run every minute will still fire 8 minutes after the event occurred. For a phishing email detection, this means 8 minutes of user exposure before the rule triggers automated remediation. Investigate the latency source and check Azure Service Health.

Only affects workbook dashboards

Ingestion latency directly impacts detection timeliness. An NRT rule set to run every minute cannot detect faster than the data arrives. If data takes 8 minutes to ingest, your "near real-time" detection is actually 8+ minutes delayed. This matters most for email-based threats where every minute of delay increases click risk.

← 5.5 Cost Management and Optimization 5.7 Enabling the Entra ID Connector →