forward logs to Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-938030%22%20slang%3D%22en-US%22%3Eforward%20logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-938030%22%20slang%3D%22en-US%22%3E%3CP%3Ehow%20do%20i%20forward%20logs%20and%20alerts%20generated%20from%20MS%20Defender%20Security%20Center%20to%20Log%20analytics%20to%20be%20used%20in%20Sentinel%20%3F%3C%2FP%3E%3CP%3Ethere%20is%20an%20on%20preview%20connector%20on%20sentinel%20but%20i%20dont%20seem%20to%20find%20the%20configuration%20on%20the%20Defender%20security%20center%20side%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Etnx%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-938030%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDefender%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-962468%22%20slang%3D%22en-US%22%3ERe%3A%20forward%20logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-962468%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F423940%22%20target%3D%22_blank%22%3E%40omrip%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ejust%20enable%20the%20connector%20in%20Sentinel%2C%20then%20you%20will%20start%20receiving%20the%20alerts%20from%20MDATP%20in%20%22logs%2FsecurityInsights%2FSecurityAlerts%22%20-%20check%20%22ProviderName%20%3D%3D%20MDATP%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20need%20more%20data%20from%20MDATP%20in%20other%20places%2C%20use%20the%20Streaming%20API%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Femptydc.com%2F2019%2F07%2F23%2Fmicrosoft-defender-atp-streaming-api%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Femptydc.com%2F2019%2F07%2F23%2Fmicrosoft-defender-atp-streaming-api%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%3CBR%20%2F%3EJan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1496788%22%20slang%3D%22en-US%22%3ERe%3A%20forward%20logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496788%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5472%22%20target%3D%22_blank%22%3E%40Jan%20Geisbauer%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3ESo%20Sentinel%20will%20receive%20the%20ALERTS%20by%20using%20the%20built%20in%20connector%2C%20but%20what%20if%20you%20want%20the%20ATP%20EVENTS%3F%3C%2FP%3E%3CP%3EFor%20example%20if%20you%20want%20to%20query%26nbsp%3BDeviceLogonEvents%20in%20order%20to%20track%20admin%20logins%20-%20sure%20I%20could%20query%20them%20in%20Defender%20but%20I%20want%20everything%20in%20Sentinel's%20workspace.%3C%2FP%3E%3CP%3ESuggestions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

how do i forward logs and alerts generated from MS Defender Security Center to Log analytics to be used in Sentinel ?

there is an on preview connector on sentinel but i dont seem to find the configuration on the Defender security center side?

 

tnx

2 Replies

Hey @omrip,

 

just enable the connector in Sentinel, then you will start receiving the alerts from MDATP in "logs/securityInsights/SecurityAlerts" - check "ProviderName == MDATP".

 

If you need more data from MDATP in other places, use the Streaming API: https://emptydc.com/2019/07/23/microsoft-defender-atp-streaming-api/

 

Best,
Jan

Hi @Jan Geisbauer ,

So Sentinel will receive the ALERTS by using the built in connector, but what if you want the ATP EVENTS?

For example if you want to query DeviceLogonEvents in order to track admin logins - sure I could query them in Defender but I want everything in Sentinel's workspace.

Suggestions?