Query MD ATP schema from Sentinel analytics rule


Is it possible to write a query in Sentinel analytics that can access the schema in our MD ATP workspace without bringing those logs into our Sentinel workspace (which would get very expensive)?

1 Reply
T his is not possible.
Like you said, you would need to stream all data to Sentinel in order to query MDATP data.

Your two options are the MDATP portal or the MTP portal