MDATP Alert Tactic Not Surfaced in Log Analytics

kylemiller061 · ‎Apr 21 2020

When reviewing incidents in Sentinel that have been generated by the MDATP connector, most of the time the tactic associated to the activity at the endpoint alert level is also visible within the Sentinel Incident details. Because the tactic(s) associated with an alert are available when querying either the Security Graph API or the MDATP Security Center API I assumed that the tactic data could be surfaced in Log Analytics for any given alert. Oddly enough, when I look at alerts in Log Analytics, the tactic that MDATP has applied to the alert is not an available field. Does anybody here have any insight on this? The same appears to be the case for all of my MDATP alerts in LA. Any insight as to why this data is available via the API's and the Sentinel Incident details, but not via the logs themselves in LA?

Sarah_Young · ‎Apr 21 2020

@kylemiller061 you can achieve this by using a Logic App to enrich the data coming from MDATP using the API, it is not available via the connector at this time.

Thanks!

Sarah

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

MDATP Alert Tactic Not Surfaced in Log Analytics

MDATP Alert Tactic Not Surfaced in Log Analytics

Re: MDATP Alert Tactic Not Surfaced in Log Analytics