SOLVED
Home

Defender ATP data integration

%3CLINGO-SUB%20id%3D%22lingo-sub-877166%22%20slang%3D%22en-US%22%3EDefender%20ATP%20data%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877166%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%2Fwill%20it%20ever%20be%20possible%20to%20query%20or%20pull%20in%20data%20from%20the%20underlying%20workspace%20that%20ingests%20all%20data%20from%20Defender%20endpoint%20agents%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-877562%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20ATP%20data%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877562%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410504%22%20target%3D%22_blank%22%3E%40Teezius%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20sure%20yet.%26nbsp%3B%20We%20are%20exploring%20this.%26nbsp%3B%20you%20can%20import%20the%20data%20today%20by%20using%20MDATP%20streaming%20API%20-%26gt%3B%20Event%20Hub%20-%26gt%3B%20Logic%20App%20-%26gt%3B%20Log%20Analytics.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENOTE%3A%26nbsp%3B%20you%20will%20incur%20costs%20for%20EH%2C%20Logic%20App%2C%20Log%20A%2C%20and%20Azure%20Sentinel.%26nbsp%3B%20So%20copying%20all%20the%20data%20might%20not%20make%20sense.%26nbsp%3B%20It%20might%20be%20better%20to%20have%20a%20playbook%20to%20query%20MDATP%20and%20bring%20only%20needed%20data%20back%20to%20Azure%20Sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Teezius
Senior Member

Is it/will it ever be possible to query or pull in data from the underlying workspace that ingests all data from Defender endpoint agents?

1 Reply
Solution

@Teezius 

Not sure yet.  We are exploring this.  you can import the data today by using MDATP streaming API -> Event Hub -> Logic App -> Log Analytics.

 

NOTE:  you will incur costs for EH, Logic App, Log A, and Azure Sentinel.  So copying all the data might not make sense.  It might be better to have a playbook to query MDATP and bring only needed data back to Azure Sentinel.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies