Oct 23 2019 12:46 PM
how do i forward logs and alerts generated from MS Defender Security Center to Log analytics to be used in Sentinel ?
there is an on preview connector on sentinel but i dont seem to find the configuration on the Defender security center side?
tnx
Oct 29 2019 07:09 AM
Hey @omrip,
just enable the connector in Sentinel, then you will start receiving the alerts from MDATP in "logs/securityInsights/SecurityAlerts" - check "ProviderName == MDATP".
If you need more data from MDATP in other places, use the Streaming API: https://emptydc.com/2019/07/23/microsoft-defender-atp-streaming-api/
Best,
Jan
Jun 29 2020 12:21 PM
Hi @Jan Geisbauer ,
So Sentinel will receive the ALERTS by using the built in connector, but what if you want the ATP EVENTS?
For example if you want to query DeviceLogonEvents in order to track admin logins - sure I could query them in Defender but I want everything in Sentinel's workspace.
Suggestions?