Forum Discussion

MichaelAgnone's avatar
MichaelAgnone
Copper Contributor
Aug 03, 2020

MCAS + Azure ATP integration

Hello MCAS Team!   I have a question about MCAS, I have configured Azure ATP integration with MCAS, and am looking to generate reports in MCAS for certain behavior identified by Azure ATP. As you c...
Cloud App Security
threat protection
Ru's avatar
Ru
MVP
Apr 21, 2021
I am also seeing this in a tenant, where the 'Remote code execution attempt' alert is registered in MDI, but not MCAS, despite integration being enabled. Did you ever find a solution?
  • dfejag's avatar
    dfejag
    Copper Contributor
    Apr 21, 2021

    Ru 

     

    In my case, Yes in the end we found out that the first instance of the alert is sent to MCAS but subsequent firings/updates to the same Alert are not sent on (see REF). 

    So if you mark AATP alerts as resolved/closed in AATP portal, you will find that when the Alert fires next it will appear in MCAS portal and, in our case, in Splunk via siem agent.

     

    (I'm using original product names - AATP is now Defender for Identity etc)

     

    REF: https://docs.microsoft.com/en-us/cloud-app-security/mdi-integration#missing-siem-alert-updates

     

    I hope this helps other people as well.

Resources