Apr 21 2020
01:30 PM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Apr 21 2020
01:30 PM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
When reviewing incidents in Sentinel that have been generated by the MDATP connector, most of the time the tactic associated to the activity at the endpoint alert level is also visible within the Sentinel Incident details. Because the tactic(s) associated with an alert are available when querying either the Security Graph API or the MDATP Security Center API I assumed that the tactic data could be surfaced in Log Analytics for any given alert. Oddly enough, when I look at alerts in Log Analytics, the tactic that MDATP has applied to the alert is not an available field. Does anybody here have any insight on this? The same appears to be the case for all of my MDATP alerts in LA. Any insight as to why this data is available via the API's and the Sentinel Incident details, but not via the logs themselves in LA?
Apr 21 2020 09:18 PM
@kylemiller061 you can achieve this by using a Logic App to enrich the data coming from MDATP using the API, it is not available via the connector at this time.
Thanks!
Sarah