Microsoft Defender ATP Azure Sentinel Connector omits lot of important Alert information

%3CLINGO-SUB%20id%3D%22lingo-sub-1268483%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20ATP%20Azure%20Sentinel%20Connector%20omits%20lot%20of%20important%20Alert%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1268483%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20sad%20to%20see%20Microsoft%20defender%20ATP%26nbsp%3BConnector%20at%20Azure%20Sentinel%20does%20not%20get%20all%20the%20required%20alert%20information%20as%20compared%20to%20Graph%20API.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDetails%20like%26nbsp%3BUser%20information%2C%26nbsp%3BIP%20Information%2C%20Threat%20Category%20%26amp%3B%20Threat%20Family%20are%20omitted.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBuilding%20any%20custom%20playbook%20to%20get%20these%20data%20is%20additionally%20charged%20although%20ingestion%20of%20Microsoft%20data%20is%20free.%26nbsp%3B%20%26nbsp%3BConnector%20needs%20improvement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1268483%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%20Connector%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20ATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1327262%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20ATP%20Azure%20Sentinel%20Connector%20omits%20lot%20of%20important%20Alert%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1327262%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3B%20thank%20you%20for%20your%20feedback.%20The%20best%20place%20to%20put%20requests%20for%20new%20or%20improved%20features%20is%20in%20our%20user%20voice%20forums%2C%20where%20it%20will%20be%20reviewed%20by%20engineering%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3ESarah%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi 

 

It is sad to see Microsoft defender ATP Connector at Azure Sentinel does not get all the required alert information as compared to Graph API.   

 

Details like User information, IP Information, Threat Category & Threat Family are omitted.   

 

Building any custom playbook to get these data is additionally charged although ingestion of Microsoft data is free.   Connector needs improvement.

 

Thanks

 

1 Reply

@Prash915  thank you for your feedback. The best place to put requests for new or improved features is in our user voice forums, where it will be reviewed by engineering - https://feedback.azure.com/forums/920458-azure-sentinel.

 

Thanks!

Sarah