Forum Discussion

Teezius's avatar
Teezius
Copper Contributor
Sep 26, 2019
Solved

Defender ATP data integration

Is it/will it ever be possible to query or pull in data from the underlying workspace that ingests all data from Defender endpoint agents?

  • Nicholas DiCola (SECURITY JEDI)'s avatar
    Nicholas DiCola (SECURITY JEDI)
    Sep 26, 2019

    Teezius 

    Not sure yet.  We are exploring this.  you can import the data today by using MDATP streaming API -> Event Hub -> Logic App -> Log Analytics.

     

    NOTE:  you will incur costs for EH, Logic App, Log A, and Azure Sentinel.  So copying all the data might not make sense.  It might be better to have a playbook to query MDATP and bring only needed data back to Azure Sentinel.

2 Replies

  • Nicholas DiCola (SECURITY JEDI)'s avatar
    Nicholas DiCola (SECURITY JEDI)
    Former Employee
    Sep 26, 2019

    Teezius 

    Not sure yet.  We are exploring this.  you can import the data today by using MDATP streaming API -> Event Hub -> Logic App -> Log Analytics.

     

    NOTE:  you will incur costs for EH, Logic App, Log A, and Azure Sentinel.  So copying all the data might not make sense.  It might be better to have a playbook to query MDATP and bring only needed data back to Azure Sentinel.

    • David Caddick's avatar
      David Caddick
      Iron Contributor
      Jun 20, 2020

      Or try using MTP Advanced Hunting :cool:
      Depends what you're looking for?