Connect data from Azure Advanced Threat Protection (ATP)
You can stream logs from Azure Advanced Threat Protection into Azure Sentinel with a single click.
- User with global administrator or security administrator permissions
- You must be a preview customer of Azure ATP and enable integration between Azure ATP and Microsoft Cloud App Security. For more information, see Azure Advanced Protection Integration.
Connect to Azure ATP
Make sure the Azure ATP preview version is enabled on your network. If Azure ATP is deployed and ingesting your data, the suspicious alerts can easily be streamed into Azure Sentinel. It may take up to 24 hours for the alerts to start streaming into Azure Sentinel.
To connect Azure ATP to Azure Sentinel, you must first enable integration between Azure ATP and Microsoft Cloud App Security. For information on how to do this, see Azure Advanced Threat Protection integration.
In Azure Sentinel, select Data connectors and then click the Azure Advanced Threat Protection (Preview) tile.
You can select whether you want the alerts from Azure ATP to automatically generate incidents in Azure Sentinel automatically. Under Create incidents select Enable to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.
To use the relevant schema in Log Analytics for the Azure ATP alerts, search for SecurityAlert.
If the alerts are larger than 30 KB, Azure Sentinel stops displaying the Entities field in the alerts.
In this document, you learned how to connect Azure Advanced Threat Protection to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.