Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1520888%22%20slang%3D%22en-US%22%3ERequesting%20a%20bit%20more%20integration%20between%20MCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520888%22%20slang%3D%22en-US%22%3E%3CP%3ESome%20alarms%20coming%20from%20MDATP%20to%20Sentinel%2C%20for%20example%3A%20%22Suspicious%20URL%20clicked%22%2C%20do%20not%20provide%20the%20actual%20URL.%20To%20discover%20the%20actual%20URL%20you%20must%20to%20access%20MDATP.%20This%20specific%20alarm%20is%20usually%20triggered%20based%20on%20O365ATP.%20Similarly%2C%20some%20alarms%20coming%20from%20AATP%20to%20Sentinel%2C%20for%20example%3A%20%22%3CSPAN%3ERemote%20code%20execution%20attempt%22%20are%20usually%20triggered%20after%20someone%20clicked%20in%20a%20URL.%20However%2C%20to%20access%20the%20actual%20URL%20you%20must%20to%20access%20the%20AATP.%20This%20specific%20alarm%20is%20usually%20triggered%20by%20MCAS%20and%20forwarded%20to%20AATP.%20It%20means%20that%20in%20this%20case%20you%20need%20to%20access%20MCAS.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EProblem%2Frequest%200%3A%20it%20would%20be%20nice%20if%20MS-sec-boxes%20share%20all%20information%20from%20their%20alarms%20(ex.%20URLs)%20with%20Sentinel.%20Is%20there%20any%20timeline%20to%20add%20more%20information%3F%20when%3F%20which%20information%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EProblem%2Frequest%201%3A%26nbsp%3BMCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20are%20not%20'integrateable'%20via%20Azure%20Lighthouse.%20Then%2C%20MSSPs%20can%20not%20access%2Fmanage%20those%20MS-sec-solutions.%20Perhaps%20the%20RBAC%20'security%20reader'%20and%2For%20'security%20contributor'%20could%20eventually%20enable%20access%20to%20those%20solutions.%20Is%20there%20any%20intention%20in%20this%20direction%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1520888%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntegration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMCAS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EO365ATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521021%22%20slang%3D%22en-US%22%3ERe%3A%20Requesting%20a%20bit%20more%20integration%20between%20MCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521021%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584375%22%20target%3D%22_blank%22%3E%40jjsantanna%3C%2FA%3E%26nbsp%3BHi.%20Have%20you%20considered%20joining%20our%20Private%20Preview%20program%3F%20By%20joining%2C%20you%20will%20have%20access%20to%20test%20upcoming%20releases%20and%20be%20able%20to%20ask%20those%20questions%20directly%20to%20the%20team%20in%20a%20private%20Teams%20channel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20a%20link%20to%20join%20in%20the%20Sentinel%20console%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22previewprivate.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F205188i1E7C2E356AF257C6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22previewprivate.jpg%22%20alt%3D%22previewprivate.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521031%22%20slang%3D%22en-US%22%3ERe%3A%20Requesting%20a%20bit%20more%20integration%20between%20MCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521031%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%2C%20we%20are%20already%20there.%20Would%20be%20nice%20if%20someone%20from%20the%20community%20answers%20those%20%22questions%22%20because%20we%20share%20the%20discussion%20with%20our%20customers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521042%22%20slang%3D%22en-US%22%3ERe%3A%20Requesting%20a%20bit%20more%20integration%20between%20MCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521042%22%20slang%3D%22en-US%22%3EI%20understand%20your%20pain.%3CBR%20%2F%3EWe%20have%20build%20a%20layer%20on%20top%20of%20Sentinel%2C%20which%20does%20that%20correlation%20through%20the%20API's%20of%20the%20different%20products%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521123%22%20slang%3D%22en-US%22%3ERe%3A%20Requesting%20a%20bit%20more%20integration%20between%20MCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521123%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3Bcould%20you%20perhaps%20share%20this%20API%20documentation%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521145%22%20slang%3D%22en-US%22%3ERe%3A%20Requesting%20a%20bit%20more%20integration%20between%20MCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521145%22%20slang%3D%22en-US%22%3EThere%20isn't%20really%20one%20API.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20need%20to%20use%20the%20MCAS%20API%2C%20MDATP%20API%2C%20Graph%20API%20etc...%3CBR%20%2F%3EEach%20product%20has%20it's%20own%20API%20you%20need%20to%20use%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521151%22%20slang%3D%22en-US%22%3ERe%3A%20Requesting%20a%20bit%20more%20integration%20between%20MCAS%2C%20AATP%2C%20MDATP%2C%20O365ATP%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521151%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EEngineers%20will%20hate%20and%20analysts%20will%20love%20it.%3CBR%20%2F%3EI%20will%20take%20a%20look.%20Thanks%20for%20your%20answer.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Some alarms coming from MDATP to Sentinel, for example: "Suspicious URL clicked", do not provide the actual URL. To discover the actual URL you must to access MDATP. This specific alarm is usually triggered based on O365ATP. Similarly, some alarms coming from AATP to Sentinel, for example: "Remote code execution attempt" are usually triggered after someone clicked in a URL. However, to access the actual URL you must to access the AATP. This specific alarm is usually triggered by MCAS and forwarded to AATP. It means that in this case you need to access MCAS.

 

Problem/request 0: it would be nice if MS-sec-boxes share all information from their alarms (ex. URLs) with Sentinel. Is there any timeline to add more information? when? which information?

 

Problem/request 1: MCAS, AATP, MDATP, O365ATP are not 'integrateable' via Azure Lighthouse. Then, MSSPs can not access/manage those MS-sec-solutions. Perhaps the RBAC 'security reader' and/or 'security contributor' could eventually enable access to those solutions. Is there any intention in this direction?

 

Thanks

6 Replies

@jjsantanna Hi. Have you considered joining our Private Preview program? By joining, you will have access to test upcoming releases and be able to ask those questions directly to the team in a private Teams channel.

 

You can find a link to join in the Sentinel console:

 

previewprivate.jpg

Thanks @rodtrent, we are already there. Would be nice if someone from the community answers those "questions" because we share the discussion with our customers.

I understand your pain.
We have build a layer on top of Sentinel, which does that correlation through the API's of the different products

@Thijs Lecomte could you perhaps share this API documentation here?

There isn't really one API.

You need to use the MCAS API, MDATP API, Graph API etc...
Each product has it's own API you need to use

@Thijs Lecomte 
Engineers will hate and analysts will love it.
I will take a look. Thanks for your answer.