Defender ATP Connector in Logic Apps-Azure Sentinel

Pranesh1060 · ‎Feb 10 2020

Hi,

I see that there is a connector available for Defender ATP while creating a new playbook in Sentinel. However I am not sure how exactly does it work. I haven't come across any use cases for that. Is it in any way related to Sentinel or is it just for Logic Apps? As we know in DATP multiple alerts constitutes of 1 incident, so when you create an analytical rule in Sentinel for DATP, it usually comes up with more than 3 results of which two of them are same and belong to the same hostname with the same info. So it makes it a bit difficult to create tickets in SNOW for them because you never know how many tickets will get created automatically. Is there a way around it to ignore the duplicate alerts and take only 1 alert?

P.S: The second part of the post is the actual requirement, first part is to see if the connector can be leveraged to fulfill the requirement.

Gary Bushey · ‎Feb 10 2020

@Pranesh1060 That connector is a Logic App connector, not to be confused with the Azure Sentinel Data Connector, so it really does not have anything to do with Azure Sentinel. It will kick off the Logic App when a new alert in the Defender ATP, https://securitycenter.windows.com/dashboard, occurs.

Note that there is a Microsoft Defender ATP connector that is in preview which will raise the alerts in Azure Sentinel after they were created in MS Defender ATP.

For the rest of your question, you may want to ask it in the https://techcommunity.microsoft.com/t5/microsoft-defender-advanced/ct-p/MicrosoftDefenderAdvanced communities

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Defender ATP Connector in Logic Apps-Azure Sentinel

Defender ATP Connector in Logic Apps-Azure Sentinel

Re: Defender ATP Connector in Logic Apps-Azure Sentinel