Not all Alerts in mcas are sent on to the siem

Question

Hi all&nbsp;We have connected mcas to our siem using the siem agent/token. We receive Alerts and Activity data. However not all Alerts I can see in mcas Alerts page can be found in the siem.&nbsp;None of the Azure ATP alerts that show in mcas (i.e.&nbsp;Suspected DCSync attack (replication of directory services) or&nbsp;Remote code execution attempt) can be found in the siem.&nbsp;We had hoped to use mcas as a broker for M365 ATP services like AATP, O365ATP etc. Is this possible? ThanksJ

dfejag · Answer

Off-board support has suggested, this may be a reason - "This issue affects alerts that are triggered more than once. The first instance of the alert is sent to the SIEM, but subsequent triggers of the same alert are not sent."

https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues

I'll be checking for new Alerts and whether they are delivered to the siem.

dfejag · Answer

dfejag&nbsp;&nbsp;Solved.&nbsp;For completeness. I closed some Alerts in AATP portal (e.g.&nbsp;Suspected DCSync attack (replication of directory services)). Next time it fired the Alert appeared in MCAS port and in the siem (via siem-agent).Note: subsequent triggers of the alarm did not show in siem - but we know why:&nbsp;https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues&nbsp;

Forum Discussion

Not all Alerts in mcas are sent on to the siem

Share

Resources