Not all Alerts in mcas are sent on to the siem

%3CLINGO-SUB%20id%3D%22lingo-sub-1538744%22%20slang%3D%22en-US%22%3ENot%20all%20Alerts%20in%20mcas%20are%20sent%20on%20to%20the%20siem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538744%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20connected%20mcas%20to%20our%20siem%20using%20the%20siem%20agent%2Ftoken.%20We%20receive%20Alerts%20and%20Activity%20data.%20However%20not%20all%20Alerts%20I%20can%20see%20in%20mcas%20Alerts%20page%20can%20be%20found%20in%20the%20siem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENone%20of%20the%20Azure%20ATP%20alerts%20that%20show%20in%20mcas%20(i.e.%26nbsp%3B%3CSPAN%3ESuspected%20DCSync%20attack%20(replication%20of%20directory%20services)%20or%26nbsp%3BRemote%20code%20execution%20attempt)%20can%20be%20found%20in%20the%20siem.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20had%20hoped%20to%20use%20mcas%20as%20a%20broker%20for%20M365%20ATP%20services%20like%20AATP%2C%20O365ATP%20etc.%20Is%20this%20possible%3F%20Thanks%3CBR%20%2F%3EJ%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1538744%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1577889%22%20slang%3D%22en-US%22%3ERe%3A%20Not%20all%20Alerts%20in%20mcas%20are%20sent%20on%20to%20the%20siem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577889%22%20slang%3D%22en-US%22%3E%3CP%3EOff-board%20support%20has%20suggested%2C%20this%20may%20be%20a%20reason%20-%20%22%3CSPAN%3EThis%20issue%20affects%20alerts%20that%20are%20triggered%20more%20than%20once.%20The%20first%20instance%20of%20the%20alert%20is%20sent%20to%20the%20SIEM%2C%20but%20subsequent%20triggers%20of%20the%20same%20alert%20are%20not%20sent.%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faatp-integration%23known-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faatp-integration%23known-issues%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20be%20checking%20for%20new%20Alerts%20and%20whether%20they%20are%20delivered%20to%20the%20siem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584759%22%20slang%3D%22en-US%22%3ERe%3A%20Not%20all%20Alerts%20in%20mcas%20are%20sent%20on%20to%20the%20siem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584759%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F468066%22%20target%3D%22_blank%22%3E%40dfejag%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESolved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20completeness.%20I%20closed%20some%20Alerts%20in%20AATP%20portal%20(e.g.%26nbsp%3B%3CSPAN%20class%3D%22ng-binding%22%3ESuspected%20DCSync%20attack%20(replication%20of%20directory%20services)%3C%2FSPAN%3E%3CSPAN%3E).%20Next%20time%20it%20fired%20the%20Alert%20appeared%20in%20MCAS%20port%20%3CSTRONG%3Eand%3C%2FSTRONG%3E%20in%20the%20siem%20(via%20siem-agent).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ENote%3A%20subsequent%20triggers%20of%20the%20alarm%20did%20not%20show%20in%20siem%20-%20but%20we%20know%20why%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faatp-integration%23known-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faatp-integration%23known-issues%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi all

 

We have connected mcas to our siem using the siem agent/token. We receive Alerts and Activity data. However not all Alerts I can see in mcas Alerts page can be found in the siem.

 

None of the Azure ATP alerts that show in mcas (i.e. Suspected DCSync attack (replication of directory services) or Remote code execution attempt) can be found in the siem.

 

We had hoped to use mcas as a broker for M365 ATP services like AATP, O365ATP etc. Is this possible? Thanks
J

2 Replies
Highlighted

Off-board support has suggested, this may be a reason - "This issue affects alerts that are triggered more than once. The first instance of the alert is sent to the SIEM, but subsequent triggers of the same alert are not sent."

 

https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues

 

I'll be checking for new Alerts and whether they are delivered to the siem.

Highlighted

@dfejag 

 

Solved.

 

For completeness. I closed some Alerts in AATP portal (e.g. Suspected DCSync attack (replication of directory services)). Next time it fired the Alert appeared in MCAS port and in the siem (via siem-agent).

Note: subsequent triggers of the alarm did not show in siem - but we know why:

 

https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues