The Defender XDR connector is automatically enabled when you onboard Microsoft Sentinel to the Defender portal. The manual configuration steps described in this article are not required if you've already onboarded Microsoft Sentinel to the Defender ...

When you enable the connector, it sends all Defender XDR incidents and alerts information to Microsoft Sentinel and keep the incidents synchronized. First, install the Microsoft Defender XDR solution for Microsoft Sentinel from the Content hub.

The Home page is updated with new sections that include metrics from Microsoft Sentinel, like the number of data connectors and automation rules. After you connect your workspace to the Defender portal, Microsoft Sentinel is on the left-hand side navigation pane. If you have Defender XDR enabled, pages like Home, Incidents, and Advanced Hunting have unified data from the primary workspace for Microsoft Sentinel and Defender XDR.

If the permissions are set correctly and you are still seeing issues with the workspace connector, I would recommend disconnecting and reconnecting the Defender XDR connector and trying again.

In the navigation pane, under Configuration, go to Data connectors. When the page loads, search for Microsoft Defender XDR and select the Microsoft Defender XDR connector. On the right-hand flyout, select Open Connector Page.

In Microsoft Sentinel, select Data connectors. Select Microsoft Defender XDR from the gallery and Open connector page. ... Connect incidents and alerts enables the basic integration between Microsoft Defender XDR and Microsoft Sentinel, ...

Thanks to this integration, Microsoft Sentinel customers who enable Defender XDR incident integration can now ingest and synchronize Defender for Cloud incidents through Microsoft Defender XDR. To support this integration, you must set up one of the following Microsoft Defender for Cloud data connectors, otherwise your incidents for Microsoft Defender for Cloud coming through the Microsoft Defender XDR connector won't display their associated alerts and entities:

June 10, 2025 - Please check the Microsoft Defender XDR connector configuration first to make sure the Microsoft incident creation rules are turned off for the Microsoft Defender products. ... Incident status, tags, resolution, closing reasons, closing comments ...

Use one of the following methods ... Sentinel and view Microsoft Sentinel data in the Azure portal. Enable the Defender XDR connector in Microsoft Sentinel....

Microsoft Sentinel customers who are integrating Microsoft Defender XDR incidents and are ingesting Defender for Cloud alerts must take the following steps to prevent duplicate alerts and incidents. In Microsoft Sentinel, configure the Tenant-based Microsoft Defender for Cloud (Preview) data connector.

@Mohammad Sayeem Chowdhury Have you tried installing the Defender XDR solution from content hub - https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration further solution is installed, you can navigate to connector and enable the logs from the above-mentioned tables.

If you don't see this section as shown, you most likely have enabled incident integration in your Microsoft Defender XDR connector, or you have onboarded Microsoft Sentinel to the Defender portal.

Alerts related to Defender products are streamed directly from the Microsoft Defender XDR connector to ensure consistency. Make sure that you have incidents and alerts from this connector turned on in your workspace.

2 weeks ago - Today, if you have permissions to see Microsoft Sentinel logs, incidents, etc. in the Azure portal, you will be able to see those in the Defender portal. For Microsoft Sentinel customers who previously worked exclusively in the Microsoft Sentinel Azure portal for investigation and triage and were not using the Defender XDR portal, this is where they may notice a change.

In the navigation pane, under Configuration, go to Data connectors. When the page loads, search for Microsoft Defender XDR and select the Microsoft Defender XDR connector. On the right-hand flyout, select Open Connector Page.

The tenant-based connector also works with Defender for Cloud's integration with Microsoft Defender XDR to ensure that all of your Defender for Cloud alerts are fully included in any incidents you receive through Microsoft Defender XDR incident integration. ... When you connect Microsoft Defender for Cloud to Microsoft Sentinel, the status of security alerts that get ingested into Microsoft Sentinel is synchronized between the two services.

February 19, 2024 - New-AzSentinelDataConnector -SubscriptionId subid -ResourceGroupName rgname -WorkspaceName wkname -Kind MicrosoftThreatProtection -Incident 'enabled' Expected behavior Microsoft Threat Protection (XDR Defender) connector is enabled with Incidents/Alerts : enabled

If you are reading this before the forced deadline and want to offboard the feature again, keep in mind that the Microsoft Defender XDR connector in your Microsoft Sentinel workspace will be disconnected! Make sure to manually reconnect this connector if you want to receive Defender XDR incidents ...

April 10, 2024 - Important Note: To disable a specific component’s connector, the Microsoft Defender XDR connector must first be disconnected. ... Now we can make the connection in Defeder XDR . When we log in to security.microsoft.com, we will see a guide for the connector on the home page. ... In the window that opens after the Connect Workspace option, we select the relevant Sentinel Workload and click “next”.