Defender ATP into Sentinel and then SNOW

Question

Hi all&nbsp;I am wanting to move Defender ATP (and other microsoft stack) alerts / incidents into Sentinel (which is easily achieved) and from here move them out into SNOW - what is the current thinking about how to aggregate the incidents as in MTP they have a start time and then an updated time (multiple alerts can become one incident by example).&nbsp;&nbsp;

garybushey · Answer

wootts&nbsp;If I am understanding what you are trying to do correctly, you cannot do it. Alerts coming from other Azure security platforms, like Defender ATP, cannot be combined into a single incident.&nbsp; That functionality is only for Scheduled rules.

thijs lecomte · Answer

Adding to what Gary already said.We do the same, but with JIRA. It is possible; but not for incidents.Currently Sentinel will only ingest alerts, not incidents.It works through Seninel, but it's not ideal

wootts · Answer

GaryBushey&nbsp;thanks for the heads up....&nbsp;

wootts · Answer

Thijs Lecomte&nbsp;thanks for the heads up ... a work in progress lets say&nbsp;

Forum Discussion

Defender ATP into Sentinel and then SNOW

4 Replies