MDE and MDO support for Graph subscriptions

MDE and MDO support for Graph subscriptions



 Apr 18 2022

When using a client app as a listener for Microsoft Graph events via the subscription concept, alerts from Microsoft Defender for Endpoint (provider name 'Microsoft Defender ATP') and Defender for Office 365 (provider name 'Office 365 Security and Compliance') do not successfully trigger change notifications. Alerts from other providers such as AAD Identity Protection, Defender for Cloud Apps, Sentinel, and MDI trigger these notifications successfully. After speaking with Microsoft Support, we were informed that this asymmetry between the products' behavior is by design. This creates significant challenges for security providers wishing to use the Graph subscription model as a means for ingesting security events in customer environments. Parity across the full MS security suite and the ability to ingest all security alerts via change notification would be ideal. Thanks!