Forum Discussion

Copper Contributor

Jul 22, 2020

Not all Alerts in mcas are sent on to the siem

Hi all We have connected mcas to our siem using the siem agent/token. We receive Alerts and Activity data. However not all Alerts I can see in mcas Alerts page can be found in the siem. None ...

Cloud App Security

threat protection

dfejag

Copper Contributor

Aug 10, 2020

Off-board support has suggested, this may be a reason - "This issue affects alerts that are triggered more than once. The first instance of the alert is sent to the SIEM, but subsequent triggers of the same alert are not sent."

https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues

I'll be checking for new Alerts and whether they are delivered to the siem.

dfejag
Copper Contributor
Aug 12, 2020
dfejag

Solved.

For completeness. I closed some Alerts in AATP portal (e.g. Suspected DCSync attack (replication of directory services)). Next time it fired the Alert appeared in MCAS port and in the siem (via siem-agent).
Note: subsequent triggers of the alarm did not show in siem - but we know why:

https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues