This article is contributed. See the original author and article here.
In the past few months, we have worked on an improved integration of Microsoft Defender ATP alerts into Azure Sentinel. After an initial evaluation period, we are now ready to gradually roll out the new solution to all customers. The new integration will replace the current integration of MDATP alerts which is now in public preview (see details below). The changes will occur automatically on 3/8/2020 and require no configuration from customers.
Improved alert details and context
The new integration has significant advantages in improved details and context, which are meant to facilitate and expedite triage and investigation of Microsoft Defender ATP incidents in Azure Sentinel. The integration will provide a more detailed view of each alert and is designed to capture changes on alert status over time. The upgrades include increased visibility into investigation and response information from MDATP as well as a link to provide an easy pivot to see the alert in the source portal. Finally, more information on entities is provided in a more concise format so analysts can have a broader picture of the involved entities.
It is important to note that the new integration does make minor changes to the structure of alerts from Microsoft Defender ATP. A summary of the changes is presented below (table 1), and a full description of the changes, together with a sample alert, can be found in the attached file. Any scheduled rules that use one of the changed fields might be affected.
A new MDATP API
The integration is based on the newly released MDATP Alerts API. Details on the new API can be found here.
Improved discoverability of the Sentinel integration in MDATP
The Sentinel integration is now exposed in the Partner application section in Microsoft Defender ATP.
Additional Resources
Connecting Microsoft Defender ATP alerts to Sentinel – https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protection
Table 1 – summary of the alert schema changes
This table details the changes in the representation of MDATP alerts in the SecurityAlert table in Azure. The changes are in comparison to how MDATP alerts are now represented in Sentinel. Full description of the alert can be found in the attached file.
Description of Change |
Sample Alert Data |
Added: ExtendedProperties field. This field is an object containing the following details from MDATP: – MDATP category |
{ |
Replaced: ExtendedLinks field – The new AlertLink column displays a link to the MDATP portal for each alert. |
https://securitycenter.microsoft.com/alert/ |
Repurposed: AlertType field – shows the detection source (instead of a GUID of the alert in MDATP) |
Before: 360fdb3b-18a9-471b-9ad0-ad80a4cbcb00 |
Expanded: Entity field – More information on entities is surfaced. |
{ |
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments