cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more

Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

jjsantanna
Brass Contributor

‎Jul 14 2020 05:56 AM - last edited on ‎Dec 23 2021 04:47 AM by

‎Jul 14 2020 05:56 AM - last edited on ‎Dec 23 2021 04:47 AM by

Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

Some alarms coming from MDATP to Sentinel, for example: "Suspicious URL clicked", do not provide the actual URL. To discover the actual URL you must to access MDATP. This specific alarm is usually triggered based on O365ATP. Similarly, some alarms coming from AATP to Sentinel, for example: "Remote code execution attempt" are usually triggered after someone clicked in a URL. However, to access the actual URL you must to access the AATP. This specific alarm is usually triggered by MCAS and forwarded to AATP. It means that in this case you need to access MCAS.

 

Problem/request 0: it would be nice if MS-sec-boxes share all information from their alarms (ex. URLs) with Sentinel. Is there any timeline to add more information? when? which information?

 

Problem/request 1: MCAS, AATP, MDATP, O365ATP are not 'integrateable' via Azure Lighthouse. Then, MSSPs can not access/manage those MS-sec-solutions. Perhaps the RBAC 'security reader' and/or 'security contributor' could eventually enable access to those solutions. Is there any intention in this direction?

 

Thanks

1,412 Views
1 Like
6 Replies
Reply
6 Replies
rodtrent

‎Jul 14 2020 06:53 AM

‎Jul 14 2020 06:53 AM

Re: Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

@jjsantanna Hi. Have you considered joining our Private Preview program? By joining, you will have access to test upcoming releases and be able to ask those questions directly to the team in a private Teams channel.

 

You can find a link to join in the Sentinel console:

 

previewprivate.jpg

1 Like
Reply
jjsantanna

‎Jul 14 2020 06:55 AM

‎Jul 14 2020 06:55 AM

Re: Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

Thanks @rodtrent, we are already there. Would be nice if someone from the community answers those "questions" because we share the discussion with our customers.

1 Like
Reply
Thijs Lecomte

‎Jul 14 2020 07:06 AM

‎Jul 14 2020 07:06 AM

Re: Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

I understand your pain.
We have build a layer on top of Sentinel, which does that correlation through the API's of the different products
1 Like
Reply
jjsantanna

‎Jul 14 2020 07:58 AM

‎Jul 14 2020 07:58 AM

Re: Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

@Thijs Lecomte could you perhaps share this API documentation here?

0 Likes
Reply
Thijs Lecomte

‎Jul 14 2020 08:08 AM

‎Jul 14 2020 08:08 AM

Re: Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

There isn't really one API.

You need to use the MCAS API, MDATP API, Graph API etc...
Each product has it's own API you need to use
0 Likes
Reply
jjsantanna

‎Jul 14 2020 08:11 AM

‎Jul 14 2020 08:11 AM

Re: Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel

@Thijs Lecomte 
Engineers will hate and analysts will love it.
I will take a look. Thanks for your answer.

0 Likes
Reply