Nov 22 2021 10:48 AM
I am running into an interesting issue. In an attempt to on-board a new client; they are requesting we ingest Defender for Endpoint logs into an Microsoft Sentinel workspace. In the past, leveraging the Data connector there has been no issue with the ingestion. Simply, checking a few boxes and I was home free. This client appears to be leveraging G5 licenses in terms of their Defender for Endpoint coverage.
This is the origin of the issue I believe. Microsoft Sentinel is not seeing Defender for Endpoint as an active product for this tenant/directory. Is this by design or is there a workaround to leverage the Streaming API to pipe these logs to the Microsoft Sentinel Workspace ?