SOLVED
Home

Defender ATP data integration

%3CLINGO-SUB%20id%3D%22lingo-sub-877166%22%20slang%3D%22en-US%22%3EDefender%20ATP%20data%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877166%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%2Fwill%20it%20ever%20be%20possible%20to%20query%20or%20pull%20in%20data%20from%20the%20underlying%20workspace%20that%20ingests%20all%20data%20from%20Defender%20endpoint%20agents%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-877562%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20ATP%20data%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877562%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410504%22%20target%3D%22_blank%22%3E%40Teezius%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20sure%20yet.%26nbsp%3B%20We%20are%20exploring%20this.%26nbsp%3B%20you%20can%20import%20the%20data%20today%20by%20using%20MDATP%20streaming%20API%20-%26gt%3B%20Event%20Hub%20-%26gt%3B%20Logic%20App%20-%26gt%3B%20Log%20Analytics.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENOTE%3A%26nbsp%3B%20you%20will%20incur%20costs%20for%20EH%2C%20Logic%20App%2C%20Log%20A%2C%20and%20Azure%20Sentinel.%26nbsp%3B%20So%20copying%20all%20the%20data%20might%20not%20make%20sense.%26nbsp%3B%20It%20might%20be%20better%20to%20have%20a%20playbook%20to%20query%20MDATP%20and%20bring%20only%20needed%20data%20back%20to%20Azure%20Sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Senior Member

Is it/will it ever be possible to query or pull in data from the underlying workspace that ingests all data from Defender endpoint agents?

1 Reply
Highlighted
Solution

@Teezius 

Not sure yet.  We are exploring this.  you can import the data today by using MDATP streaming API -> Event Hub -> Logic App -> Log Analytics.

 

NOTE:  you will incur costs for EH, Logic App, Log A, and Azure Sentinel.  So copying all the data might not make sense.  It might be better to have a playbook to query MDATP and bring only needed data back to Azure Sentinel.