Connect alerts from Microsoft Defender Advanced Threat Protection

Important

Ingestion of Microsoft Defender Advanced Threat Protection logs is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

You can stream alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel with a single click. This connection enables you to stream the alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel.

Prerequisites

Connect to Microsoft Defender Advanced Threat Protection

If Microsoft Defender Advanced Threat Protection is deployed and ingesting your data, the alerts can easily be streamed into Azure Sentinel.

  1. In Azure Sentinel, select Data connectors, click the Microsoft Defender Advanced Threat Protection tile and select Open connector page.
  2. Click Connect.
  3. To use the relevant schema in Log Analytics for the Defender ATP alerts, search for SecurityAlert and the Provider name is MDATP.

Next steps

In this document, you learned how to connect Microsoft Defender ATP to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: