Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MCAS + Azure ATP integration

Copper Contributor

Hello MCAS Team!

 

I have a question about MCAS, I have configured Azure ATP integration with MCAS, and am looking to generate reports in MCAS for certain behavior identified by Azure ATP. As you can see in my screenshots below, I see a number of alerts generated by the "Remote Code Execution Attempt" policy in ATP, but don't see it in MCAS. Any ideas on why that could be?

3 Replies

@MichaelAgnone 

 

What about on the MCAS Alerts page, do you see them there?

I am also seeing this in a tenant, where the 'Remote code execution attempt' alert is registered in MDI, but not MCAS, despite integration being enabled. Did you ever find a solution?

@Ru 

 

In my case, Yes in the end we found out that the first instance of the alert is sent to MCAS but subsequent firings/updates to the same Alert are not sent on (see REF). 

So if you mark AATP alerts as resolved/closed in AATP portal, you will find that when the Alert fires next it will appear in MCAS portal and, in our case, in Splunk via siem agent.

 

(I'm using original product names - AATP is now Defender for Identity etc)

 

REF: https://docs.microsoft.com/en-us/cloud-app-security/mdi-integration#missing-siem-alert-updates

 

I hope this helps other people as well.