Forum Discussion
Azure ATP alerts from MCAS and Graph
MicrosoftHi Frank,
While the ExternalID is not available in the MCAS version of the syslog alert, today the unique alert id is available. For example:
2019-08-11T13:27:28.750Z CEF:0|MCAS|SIEM_Agent|0.156.145|ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT|Suspicious VPN Connection|6|externalId=5d5017c309cca27735a01e8d rt=1565530048750 start=1565530048750 end=1565530048750 msg=XXX connected to a VPN using abnormalComputer from ……..
Note that in the MCAS version of the alerts, the external ID field is the alert id, not the alert type id (which is what Azure ATP used).
Regards,
Astrid
Thanks for that! is there a list of those ID's that we van map back to an Alert? like there is for the externalID in the syslog messages? as i assume it is still not advised to filter on descriptions as these might be updated.
thanks.
- Astrid McClean
All the unique ids have now been documented here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external#security-alert-name-mapping-and-unique-external-ids
See the Cloud App Security IDs tab for the names you see via MCAS and the Graph API.
Astrid McClean I am having the same issues working with Log integration to an external SIEM, can you please help with how to get a list of available unique alert id
