Defender ATP into Sentinel and then SNOW

%3CLINGO-SUB%20id%3D%22lingo-sub-1837569%22%20slang%3D%22en-US%22%3EDefender%20ATP%20into%20Sentinel%20and%20then%20SNOW%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1837569%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20wanting%20to%20move%20Defender%20ATP%20(and%20other%20microsoft%20stack)%20alerts%20%2F%20incidents%20into%20Sentinel%20(which%20is%20easily%20achieved)%20and%20from%20here%20move%20them%20out%20into%20SNOW%20-%20what%20is%20the%20current%20thinking%20about%20how%20to%20aggregate%20the%20incidents%20as%20in%20MTP%20they%20have%20a%20start%20time%20and%20then%20an%20updated%20time%20(multiple%20alerts%20can%20become%20one%20incident%20by%20example).%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1837999%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20ATP%20into%20Sentinel%20and%20then%20SNOW%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1837999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F688700%22%20target%3D%22_blank%22%3E%40wootts%3C%2FA%3E%26nbsp%3BIf%20I%20am%20understanding%20what%20you%20are%20trying%20to%20do%20correctly%2C%20you%20cannot%20do%20it.%20Alerts%20coming%20from%20other%20Azure%20security%20platforms%2C%20like%20Defender%20ATP%2C%20cannot%20be%20combined%20into%20a%20single%20incident.%26nbsp%3B%20That%20functionality%20is%20only%20for%20Scheduled%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1838056%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20ATP%20into%20Sentinel%20and%20then%20SNOW%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1838056%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20heads%20up....%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all 

I am wanting to move Defender ATP (and other microsoft stack) alerts / incidents into Sentinel (which is easily achieved) and from here move them out into SNOW - what is the current thinking about how to aggregate the incidents as in MTP they have a start time and then an updated time (multiple alerts can become one incident by example).  

4 Replies

@wootts If I am understanding what you are trying to do correctly, you cannot do it. Alerts coming from other Azure security platforms, like Defender ATP, cannot be combined into a single incident.  That functionality is only for Scheduled rules.

@Gary Bushey thanks for the heads up.... 

Adding to what Gary already said.
We do the same, but with JIRA. It is possible; but not for incidents.
Currently Sentinel will only ingest alerts, not incidents.

It works through Seninel, but it's not ideal

@Thijs Lecomte thanks for the heads up ... a work in progress lets say