Defender ATP Connector in Logic Apps-Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1164419%22%20slang%3D%22en-US%22%3EDefender%20ATP%20Connector%20in%20Logic%20Apps-Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164419%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20that%20there%20is%20a%20connector%20available%20for%20Defender%20ATP%20while%20creating%20a%20new%20playbook%20in%20Sentinel.%20However%20I%20am%20not%20sure%20how%20exactly%20does%20it%20work.%20I%20haven't%20come%20across%20any%20use%20cases%20for%20that.%20Is%20it%20in%20any%20way%20related%20to%20Sentinel%20or%20is%20it%20just%20for%20Logic%20Apps%3F%20As%20we%20know%20in%20DATP%20multiple%20alerts%20constitutes%20of%201%20incident%2C%20so%20when%20you%20create%20an%20analytical%20rule%20in%20Sentinel%20for%20DATP%2C%20it%20usually%20comes%20up%20with%20more%20than%203%20results%20of%20which%20two%20of%20them%20are%20same%20and%20belong%20to%20the%20same%20hostname%20with%20the%20same%20info.%20So%20it%20makes%20it%20a%20bit%20difficult%20to%20create%20tickets%20in%20SNOW%20for%20them%20because%20you%20never%20know%20how%20many%20tickets%20will%20get%20created%20automatically.%20Is%20there%20a%20way%20around%20it%20to%20ignore%20the%20duplicate%20alerts%20and%20take%20only%201%20alert%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S%3A%20The%20second%20part%20of%20the%20post%20is%20the%20actual%20requirement%2C%20first%20part%20is%20to%20see%20if%20the%20connector%20can%20be%20leveraged%20to%20fulfill%20the%20requirement.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164557%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20ATP%20Connector%20in%20Logic%20Apps-Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164557%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3BThat%20connector%20is%20a%20Logic%20App%20connector%2C%20not%20to%20be%20confused%20with%20the%20Azure%20Sentinel%20Data%20Connector%2C%20so%20it%20really%20does%20not%20have%20anything%20to%20do%20with%20Azure%20Sentinel.%26nbsp%3B%20It%20will%20kick%20off%20the%20Logic%20App%20when%20a%20new%20alert%20in%20the%20Defender%20ATP%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2Fdashboard%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%2Fdashboard%3C%2FA%3E%2C%20occurs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20that%20there%20is%20a%20Microsoft%20Defender%20ATP%20connector%20that%20is%20in%20preview%20which%20will%20raise%20the%20alerts%20in%20Azure%20Sentinel%20after%20they%20were%20created%20in%20MS%20Defender%20ATP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20rest%20of%20your%20question%2C%20you%20may%20want%20to%20ask%20it%20in%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-advanced%2Fct-p%2FMicrosoftDefenderAdvanced%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-advanced%2Fct-p%2FMicrosoftDefenderAdvanced%3C%2FA%3E%26nbsp%3Bcommunities%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

I see that there is a connector available for Defender ATP while creating a new playbook in Sentinel. However I am not sure how exactly does it work. I haven't come across any use cases for that. Is it in any way related to Sentinel or is it just for Logic Apps? As we know in DATP multiple alerts constitutes of 1 incident, so when you create an analytical rule in Sentinel for DATP, it usually comes up with more than 3 results of which two of them are same and belong to the same hostname with the same info. So it makes it a bit difficult to create tickets in SNOW for them because you never know how many tickets will get created automatically. Is there a way around it to ignore the duplicate alerts and take only 1 alert?

 

P.S: The second part of the post is the actual requirement, first part is to see if the connector can be leveraged to fulfill the requirement.

1 Reply

@Pranesh1060 That connector is a Logic App connector, not to be confused with the Azure Sentinel Data Connector, so it really does not have anything to do with Azure Sentinel.  It will kick off the Logic App when a new alert in the Defender ATP, https://securitycenter.windows.com/dashboard, occurs.

 

Note that there is a Microsoft Defender ATP connector that is in preview which will raise the alerts in Azure Sentinel after they were created in MS Defender ATP.

 

For the rest of your question, you may want to ask it in the https://techcommunity.microsoft.com/t5/microsoft-defender-advanced/ct-p/MicrosoftDefenderAdvanced communities