Connect alerts from Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)

Important

  • Microsoft Defender for Endpoint was formerly known as Microsoft Defender Advanced Threat Protection or MDATP.

    You may see the old name still in use in the product (including its data connector in Azure Sentinel) for a period of time.

  • Ingestion of Microsoft Defender for Endpoint alerts is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

The Microsoft Defender for Endpoint connector lets you stream alerts from Microsoft Defender for Endpoint into Azure Sentinel. This will enable you to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.

Note

To ingest the new raw data logs from Microsoft Defender for Endpoint's advanced hunting, use the new connector for Microsoft 365 Defender (formerly Microsoft Threat Protection, see documentation).

Prerequisites

Connect to Microsoft Defender for Endpoint

If Microsoft Defender for Endpoint is deployed and ingesting your data, the alerts can easily be streamed into Azure Sentinel.

  1. In Azure Sentinel, select Data connectors, select Microsoft Defender for Endpoint (may still be called Microsoft Defender Advanced Threat Protection) from the gallery and select Open connector page.

  2. Click Connect.

  3. To query Microsoft Defender for Endpoint alerts in Logs, enter SecurityAlert in the query window, and add a filter where Provider name is MDATP.

Next steps

In this document, you learned how to connect Microsoft Defender for Endpoint to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: