Forum Discussion
Consume Azure ATP alerts via Microsoft Graph API
Wondering how to consume your Azure ATP alerts? Check out our Microsoft Graph API integration.
Once you enable our integration with Cloud App Security, all Azure ATP alerts can be consumed through the API.
For each alert you get its title, description, and entities.
Please share your feedback with us!
3 Replies
You need to share telemetry between Defender for Identity and MCAS -> see integration here
1) https://docs.microsoft.com/en-US/cloud-app-security/mdi-integration
and
2) https://docs.microsoft.com/en-US/defender-for-identity/mcas-integration
then you can consume those 40~ alerts using MS-Graph API. All 40~ Defender for Identity / Azure ATP alerts --> https://docs.microsoft.com/en-US/defender-for-identity/suspicious-activity-guide?tabs=external
Then use the MS-Graph API to receive those events in a nice format --> https://docs.microsoft.com/en-US/graph/api/resources/security-api-overview?view=graph-rest-1.0
Here is the info-note:
*** Microsoft Defender for Identity alerts are available via the Microsoft Cloud App Security integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Cloud App Security. Learn more about https://docs.microsoft.com/en-us/defender-for-identity/mcas-integration.
BillTheKid , do you know how to link MCAS alerts to Defender Identity ATP? Is there any ID?
I got data from MCAS API but it's not clear to me how to map to ATP, I couldn't see the id used on ATP on MCAS logs.
E.g
{
"_id": "60e57XXXXXXXXXXfe4b4dfc5",
"contextId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"description": "An actor on Windows10 performed suspicious account enumeration",
"entities": [
