Azure AD alerts through MCAS

%3CLINGO-SUB%20id%3D%22lingo-sub-1178967%22%20slang%3D%22en-US%22%3EAzure%20AD%20alerts%20through%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1178967%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%20I%20am%20currently%20working%20on%20parsing%20Azure%20AD%2C%20office%20365%20and%20Defender%20ATP%20logs%20routed%20through%20MCAS%20for%20a%20custom%20SIEM%20I%20seem%20to%20be%20having%20some%20issues%20with%20finding%20the%26nbsp%3B%3CSPAN%3EExternalID%20Field%20in%26nbsp%3B%20the%20logs.%20I%26nbsp%3B%20read%20somewhere%20on%20this%20forum%20that%20when%20using%20MCAS%26nbsp%3B%3C%2FSPAN%3E%3CFONT%20color%3D%22%23ff0000%22%3Eunique%20alert%20id%3C%2FFONT%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eis%20used%20instaed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%3A%3C%2FP%3E%3CP%3E2019-08-11T13%3A27%3A28.750Z%20CEF%3A0%7CMCAS%7CSIEM_Agent%7C0.156.145%7C%3CFONT%20color%3D%22%23ff0000%22%3EALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT%3C%2FFONT%3E%7CSuspicious%20VPN%20Connection%7C6%7CexternalId%3D5d5017c309cca27735a01e8d%20rt%3D1565530048750%20start%3D1565530048750%20end%3D1565530048750%20msg%3DXXX%20connected%20to%20a%20VPN%20using%20abnormalComputer%20....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20Microsoft%20provide%20a%20list%20or%20page%20of%20the%20available%26nbsp%3B%3CFONT%20color%3D%22%23ff0000%22%3Eunique%20alert%20id's%20%3F%3F%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1385414%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20alerts%20through%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1385414%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F560859%22%20target%3D%22_blank%22%3E%40Segun160%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20unique%20ID%20that%20you%20are%20referencing%20is%20when%20the%20alert%20data%20is%20sent%20from%20AATP%20to%20your%20SIEM.%20However%20when%20the%20alert%20data%20is%20sent%20from%20MCAS%20this%20data%20is%20not%20included.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20see%20more%20information%20here.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsuspicious-activity-guide%3Ftabs%3Dexternal%23security-alert-name-mapping-and-unique-external-ids%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsuspicious-activity-guide%3Ftabs%3Dexternal%23security-alert-name-mapping-and-unique-external-ids%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EGershon%20%5BMSFT%5D%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi all, I am currently working on parsing Azure AD, office 365 and Defender ATP logs routed through MCAS for a custom SIEM I seem to be having some issues with finding the ExternalID Field in  the logs. I  read somewhere on this forum that when using MCAS unique alert id is used instaed.

 

For example:

2019-08-11T13:27:28.750Z CEF:0|MCAS|SIEM_Agent|0.156.145|ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT|Suspicious VPN Connection|6|externalId=5d5017c309cca27735a01e8d rt=1565530048750 start=1565530048750 end=1565530048750 msg=XXX connected to a VPN using abnormalComputer ....

 

Does Microsoft provide a list or page of the available unique alert id's ?? 

1 Reply
Highlighted

Hi @Segun160 

 

The unique ID that you are referencing is when the alert data is sent from AATP to your SIEM. However when the alert data is sent from MCAS this data is not included. 

 

You can see more information here. https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=ext...

 

Best

Gershon [MSFT]