Jul 14 2020
- last edited on
Dec 23 2021
Some alarms coming from MDATP to Sentinel, for example: "Suspicious URL clicked", do not provide the actual URL. To discover the actual URL you must to access MDATP. This specific alarm is usually triggered based on O365ATP. Similarly, some alarms coming from AATP to Sentinel, for example: "Remote code execution attempt" are usually triggered after someone clicked in a URL. However, to access the actual URL you must to access the AATP. This specific alarm is usually triggered by MCAS and forwarded to AATP. It means that in this case you need to access MCAS.
Problem/request 0: it would be nice if MS-sec-boxes share all information from their alarms (ex. URLs) with Sentinel. Is there any timeline to add more information? when? which information?
Problem/request 1: MCAS, AATP, MDATP, O365ATP are not 'integrateable' via Azure Lighthouse. Then, MSSPs can not access/manage those MS-sec-solutions. Perhaps the RBAC 'security reader' and/or 'security contributor' could eventually enable access to those solutions. Is there any intention in this direction?
Jul 14 2020 06:53 AM
@jjsantanna Hi. Have you considered joining our Private Preview program? By joining, you will have access to test upcoming releases and be able to ask those questions directly to the team in a private Teams channel.
You can find a link to join in the Sentinel console:
Jul 14 2020 06:55 AM
Thanks @rodtrent, we are already there. Would be nice if someone from the community answers those "questions" because we share the discussion with our customers.
Jul 14 2020 07:06 AM
Jul 14 2020 07:58 AM
@Thijs Lecomte could you perhaps share this API documentation here?
Jul 14 2020 08:08 AM
Jul 14 2020 08:11 AM
Engineers will hate and analysts will love it.
I will take a look. Thanks for your answer.