SOLVED

MDATP Full Telemetry Ingestion

%3CLINGO-SUB%20id%3D%22lingo-sub-1310180%22%20slang%3D%22en-US%22%3EMDATP%20Full%20Telemetry%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1310180%22%20slang%3D%22en-US%22%3E%3CP%3EI%20noticed%20from%20a%20previous%20post%20(way%20back%20in%20September)%20that%20the%20MDATP%20streaming%20api%26nbsp%3B%20was%20being%20assessed%20for%20possible%20integration%20with%20Sentinel.%20Is%20there%20any%20update%20to%20the%20possibility%20of%20this%20happening%3F%20I%20know%20there%20are%20ways%20around%20getting%20the%20data%20into%20Log%20Analytics%2C%20but%20it%20would%20be%20huge%20if%20we%20could%20get%20that%20telemetry%20in%20so%20that%20advanced%20hunting%20with%20that%20endpoint%20telemetry%20could%20be%20conducted%20within%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20is%20there%20a%20recommended%20venue%20to%20get%20visibility%20on%20the%20Sentinel%20development%20roadmap%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1310180%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntegration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20ATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1310570%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Full%20Telemetry%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1310570%22%20slang%3D%22en-US%22%3EIngesting%20full%20data%20in%20Sentinel%20will%20be%20really%20costly.%3CBR%20%2F%3ECan%20you%20not%20create%20the%20necessary%20alerts%20in%20MDATP%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1310740%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Full%20Telemetry%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1310740%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BI%20understand%20that%20it%20would%20potentially%20be%20quite%20expensive%2C%20and%20it%20certainly%20wouldn't%20be%20meant%20for%20everyone.%20I%20have%20seen%20the%20use%20of%20the%20CrowdStrike%20Data%20Replicator%20API%20with%20Splunk%2C%20and%20Red%20Canary%20has%20done%20fantastic%20work%20with%20Carbon%20Black%20data%20on%20the%20Splunk%20platform%20as%20well.%20It%20would%20be%20nice%20to%20have%20the%20ability%20to%20have%20MTP%20type%20cross%20product%20investigative%2Ffusion%20capabilities%20within%20Sentinel%20with%20MDATP%20data.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1312506%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Full%20Telemetry%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1312506%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579504%22%20target%3D%22_blank%22%3E%40kylemiller061%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20Ely%20from%20the%20product%20group.%3C%2FP%3E%0A%3CP%3EGetting%20MDATP%20data%20to%20Sentinel%20is%20indeed%20part%20of%20our%20roadmap%20and%20planned%20for%20the%20next%20few%20month%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I noticed from a previous post (way back in September) that the MDATP streaming api  was being assessed for possible integration with Sentinel. Is there any update to the possibility of this happening? I know there are ways around getting the data into Log Analytics, but it would be huge if we could get that telemetry in so that advanced hunting with that endpoint telemetry could be conducted within Sentinel.

 

Additionally, is there a recommended venue to get visibility on the Sentinel development roadmap?

3 Replies
Highlighted
Ingesting full data in Sentinel will be really costly.
Can you not create the necessary alerts in MDATP?
Highlighted

@Thijs Lecomte I understand that it would potentially be quite expensive, and it certainly wouldn't be meant for everyone. I have seen the use of the CrowdStrike Data Replicator API with Splunk, and Red Canary has done fantastic work with Carbon Black data on the Splunk platform as well. It would be nice to have the ability to have MTP type cross product investigative/fusion capabilities within Sentinel with MDATP data.

Highlighted
Best Response confirmed by kylemiller061 (Occasional Contributor)
Solution

Hi @kylemiller061

 

I'm Ely from the product group.

Getting MDATP data to Sentinel is indeed part of our roadmap and planned for the next few month

 

Thanks,