Microsoft Defender ATP

Service Connector Note

The events for Microsoft Defender Advanced Threat Protection (ATP) are collected through the Microsoft Security Service Connector. Follow the "Microsoft Security documentation for log collection" guide for setup. The rest of this documentation are specifics related to the Microsoft Defender ATP collection that may be required for proper functioning.

Role Information

Microsoft Defender Advanced Threat Protection (ATP) requires additional user roles to those required by the Microsoft Graph Security API. Only the users in both Microsoft Defender Advanced Threat Protection (ATP) and Microsoft Graph Security API roles can have access to the Microsoft Defender Advanced Threat Protection (ATP) data. Because application-only authentication is not limited by this, we recommend that you use an application-only authentication token.