I'm currently testing WDATP and have two questions:
Auditing: As far as I know, the only possible way for auditing (e. g. User xyz initiated a live response session or user xyz created an advanced hunting Query) so far is to use the API. If I attach the Defender ATP to a SIEM via the SIEM connector, will all the Auditing Events automatically transmitted to the SIEM, or do I still need to register an API and actively query them? W If the latter is true, which events should I query for auditing?
The other question is about certificate custom indicators: We use a lot of self developed software and had a lot of trouble with our current AV solution (not Defender ATP) and false positives. We started to sign software with a certificate issued by the company's root ca. The certificate chain looks like this: Root CA -> Intermediate CA -> Codesigning Certificate (different for each Softwareproduct). If we switch to Defender ATP and our custom software is signed with a certificate from the root ca and the root ca certificate is on the Certificate allowlist, will this eliminate the chance for false positives? Or is is required to add the actual certificate to the certificate custom indicator list? Or the intermediate ca? Or all three?