Azure ATP alerts from MCAS and Graph

%3CLINGO-SUB%20id%3D%22lingo-sub-877649%22%20slang%3D%22en-US%22%3EAzure%20ATP%20alerts%20from%20MCAS%20and%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877649%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Efor%20my%20current%20customer%20we%20are%20trying%20to%20integrate%20O365%20ATP%20and%20Azure%20ATP%20alerts%20into%20their%20current%20SIEM.%20we%20have%20enabled%20the%20MCAS%20integration%20for%20Azure%20ATP.%20this%20enables%20us%20to%20get%20the%20security%20alert%20from%20both%20Azure%20ATP%2C%20MCAS%20and%20Office%20ATP%20all%20from%20the%20MS%20security%20Graph.%20However%20is%20we%20pull%20the%20alerts%20from%20the%20Graph%20the%20External%20ID's%20for%20the%20alerts%20are%20not%20being%20passed%20along%20in%20the%20graph.%20Is%20this%20normal%20behavior%3F%20or%20still%20a%20roadmap%20item%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-879669%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20alerts%20from%20MCAS%20and%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-879669%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415555%22%20target%3D%22_blank%22%3E%40FrankM670%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Frank%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20the%20ExternalID%20is%20not%20available%20in%20the%20MCAS%20version%20of%20the%20syslog%20alert%2C%20today%20the%20%3CFONT%20color%3D%22%23ff0000%22%3Eunique%20alert%20id%3C%2FFONT%3E%20is%20available.%20For%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2019-08-11T13%3A27%3A28.750Z%20CEF%3A0%7CMCAS%7CSIEM_Agent%7C0.156.145%7C%3CFONT%20color%3D%22%23ff0000%22%3EALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT%3C%2FFONT%3E%7CSuspicious%20VPN%20Connection%7C6%7CexternalId%3D5d5017c309cca27735a01e8d%20rt%3D1565530048750%20start%3D1565530048750%20end%3D1565530048750%20msg%3DXXX%20connected%20to%20a%20VPN%20using%20abnormalComputer%20from%20%E2%80%A6%E2%80%A6..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20that%20in%20the%20MCAS%20version%20of%20the%20alerts%2C%20the%20external%20ID%20field%20is%20the%20alert%20id%2C%20not%20the%20alert%20%3CSTRONG%3Etype%3C%2FSTRONG%3E%20id%20(which%20is%20what%20Azure%20ATP%20used).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EAstrid%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-882076%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20alerts%20from%20MCAS%20and%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-882076%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70522%22%20target%3D%22_blank%22%3E%40Astrid%20McClean%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20that!%20is%20there%20a%20list%20of%20those%20ID's%20that%20we%20van%20map%20back%20to%20an%20Alert%3F%20like%20there%20is%20for%20the%20externalID%20in%20the%20syslog%20messages%3F%20as%20i%20assume%20it%20is%20still%20not%20advised%20to%20filter%20on%20descriptions%20as%20these%20might%20be%20updated.%3C%2FP%3E%3CP%3Ethanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
FrankM670
New Contributor

Hi,

for my current customer we are trying to integrate O365 ATP and Azure ATP alerts into their current SIEM. we have enabled the MCAS integration for Azure ATP. this enables us to get the security alert from both Azure ATP, MCAS and Office ATP all from the MS security Graph. However is we pull the alerts from the Graph the External ID's for the alerts are not being passed along in the graph. Is this normal behavior? or still a roadmap item? 

2 Replies

@FrankM670 

Hi Frank,

 

While the ExternalID is not available in the MCAS version of the syslog alert, today the unique alert id is available. For example:

 

2019-08-11T13:27:28.750Z CEF:0|MCAS|SIEM_Agent|0.156.145|ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT|Suspicious VPN Connection|6|externalId=5d5017c309cca27735a01e8d rt=1565530048750 start=1565530048750 end=1565530048750 msg=XXX connected to a VPN using abnormalComputer from ……..

 

Note that in the MCAS version of the alerts, the external ID field is the alert id, not the alert type id (which is what Azure ATP used).

 

Regards,

Astrid

@Astrid McClean ,

 

Thanks for that! is there a list of those ID's that we van map back to an Alert? like there is for the externalID in the syslog messages? as i assume it is still not advised to filter on descriptions as these might be updated.

thanks.

 

 

Related Conversations