Aug 03 2020 05:53 AM
Hello MCAS Team!
I have a question about MCAS, I have configured Azure ATP integration with MCAS, and am looking to generate reports in MCAS for certain behavior identified by Azure ATP. As you can see in my screenshots below, I see a number of alerts generated by the "Remote Code Execution Attempt" policy in ATP, but don't see it in MCAS. Any ideas on why that could be?
Aug 06 2020 07:29 AM
Apr 21 2021 06:29 AM
Apr 21 2021 01:49 PM - edited Apr 21 2021 01:51 PM
In my case, Yes in the end we found out that the first instance of the alert is sent to MCAS but subsequent firings/updates to the same Alert are not sent on (see REF).
So if you mark AATP alerts as resolved/closed in AATP portal, you will find that when the Alert fires next it will appear in MCAS portal and, in our case, in Splunk via siem agent.
(I'm using original product names - AATP is now Defender for Identity etc)
REF: https://docs.microsoft.com/en-us/cloud-app-security/mdi-integration#missing-siem-alert-updates
I hope this helps other people as well.