This article is contributed. See the original author and article here.

In the past few months, we have worked on an improved integration of Microsoft Defender ATP alerts into Azure Sentinel. After an initial evaluation period, we are now ready to gradually roll out the new solution to all customers. The new integration will replace the current integration of MDATP alerts which is now in public preview (see details below). The changes will occur automatically on 3/8/2020 and require no configuration from customers.

 

Improved alert details and context

The new integration has significant advantages in improved details and context, which are meant to facilitate and expedite triage and investigation of Microsoft Defender ATP incidents in Azure Sentinel. The integration will provide a more detailed view of each alert and is designed to capture changes on alert status over time. The upgrades include increased visibility into investigation and response information from MDATP as well as a link to provide an easy pivot to see the alert in the source portal. Finally, more information on entities is provided in a more concise format so analysts can have a broader picture of the involved entities.

 

It is important to note that the new integration does make minor changes to the structure of alerts from Microsoft Defender ATP. A summary of the changes is presented below (table 1), and a full description of the changes, together with a sample alert, can be found in the attached file. Any scheduled rules that use one of the changed fields might be affected.

 

A new MDATP API

The integration is based on the newly released MDATP Alerts API. Details on the new API can be found here.

 

Improved discoverability of the Sentinel integration in MDATP

The Sentinel integration is now exposed in the Partner application section in Microsoft Defender ATP.

 

Ely_Abramovitch_0-1596446387513.png

 

Additional Resources

Connecting Microsoft Defender ATP alerts to Sentinel – https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protection

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-alerts

 

Table 1 – summary of the alert schema changes

This table details the changes in the representation of MDATP alerts in the SecurityAlert table in Azure. The changes are in comparison to how MDATP alerts are now represented in Sentinel. Full description of the alert can be found in the attached file.

 

Description of Change

Sample Alert Data

Added: ExtendedProperties field. This field is an object containing the following details from MDATP:

– MDATP category
– Investigation ID
– Investigation state
– Incident ID
– Detection source
– Assigned to
– Determination
– Classification
– Action

{
“MicrosoftDefenderAtp.Category”: “SuspiciousActivity”,
“MicrosoftDefenderAtp.InvestigationId”: “10505”,
“MicrosoftDefenderAtp.InvestigationState”: “Running”,
“LastUpdated”: “05/25/2020 08:09:17”,
“IncidentId”: “135722”,
“DetectionSource”: “CustomerTI”,
“AssignedTo”: null,
“Determination”: null,
“Classification”: null,
“Action”: “zavidor was here”
}

Replaced: ExtendedLinks field – The new AlertLink column displays a link to the MDATP portal for each alert.

https://securitycenter.microsoft.com/alert/
da637259909307309588_-1180694960 

Repurposed: AlertType field – shows the detection source (instead of a GUID of the alert in MDATP)

Before: 360fdb3b-18a9-471b-9ad0-ad80a4cbcb00
After: CustomerTI

Expanded: Entity field – More information on entities is surfaced.
For example, the host entity now holds the following details:
– HostName
– OSFamily
– OSVersion
– Type
– MdatpDeviceId
– FQDN
– AadDeviceId
– RiskScore
– HealthStatus
– LastSeen
– LastExternalIpAddress
– LastIpAddress

{
“$id”: “3”,
“HostName”: “real-e2etest-re”,
“OSFamily”: “Windows”,
“OSVersion”: “1809”,
“Type”: “host”,
“MdatpDeviceId”: “e84e634c8c5c2ca10db696cac544ea9ec41e784c”,
“FQDN”: “real-e2etest-re”,
“AadDeviceId”: null,
“RiskScore”: “Medium”,
“HealthStatus”: “ActiveDefault”,
“LastSeen”: “2020-05-
25T08:06:28.5181093Z”,
“LastExternalIpAddress”:
“20.185.104.143”,
“LastIpAddress”: “172.17.53.241”
},

 

 

 

 

 

 

 

 

 

 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.