Jul 22 2020 09:09 AM
Hi all
We have connected mcas to our siem using the siem agent/token. We receive Alerts and Activity data. However not all Alerts I can see in mcas Alerts page can be found in the siem.
None of the Azure ATP alerts that show in mcas (i.e. Suspected DCSync attack (replication of directory services) or Remote code execution attempt) can be found in the siem.
We had hoped to use mcas as a broker for M365 ATP services like AATP, O365ATP etc. Is this possible? Thanks
J
Aug 10 2020 03:52 AM
Off-board support has suggested, this may be a reason - "This issue affects alerts that are triggered more than once. The first instance of the alert is sent to the SIEM, but subsequent triggers of the same alert are not sent."
https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues
I'll be checking for new Alerts and whether they are delivered to the siem.
Aug 12 2020 08:44 AM
Solved.
For completeness. I closed some Alerts in AATP portal (e.g. Suspected DCSync attack (replication of directory services)). Next time it fired the Alert appeared in MCAS port and in the siem (via siem-agent).
Note: subsequent triggers of the alarm did not show in siem - but we know why:
https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration#known-issues