Forum Discussion
Azure ATP alerts from MCAS and Graph
Hi, for my current customer we are trying to integrate O365 ATP and Azure ATP alerts into their current SIEM. we have enabled the MCAS integration for Azure ATP. this enables us to get the security ...
Hi Frank,
While the ExternalID is not available in the MCAS version of the syslog alert, today the unique alert id is available. For example:
2019-08-11T13:27:28.750Z CEF:0|MCAS|SIEM_Agent|0.156.145|ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT|Suspicious VPN Connection|6|externalId=5d5017c309cca27735a01e8d rt=1565530048750 start=1565530048750 end=1565530048750 msg=XXX connected to a VPN using abnormalComputer from ……..
Note that in the MCAS version of the alerts, the external ID field is the alert id, not the alert type id (which is what Azure ATP used).
Regards,
Astrid
Astrid McClean I am having the same issues working with Log integration to an external SIEM, can you please help with how to get a list of available unique alert id