Azure ATP alerts from MCAS and Graph

Copper Contributor


for my current customer we are trying to integrate O365 ATP and Azure ATP alerts into their current SIEM. we have enabled the MCAS integration for Azure ATP. this enables us to get the security alert from both Azure ATP, MCAS and Office ATP all from the MS security Graph. However is we pull the alerts from the Graph the External ID's for the alerts are not being passed along in the graph. Is this normal behavior? or still a roadmap item? 

5 Replies


Hi Frank,


While the ExternalID is not available in the MCAS version of the syslog alert, today the unique alert id is available. For example:


2019-08-11T13:27:28.750Z CEF:0|MCAS|SIEM_Agent|0.156.145|ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT|Suspicious VPN Connection|6|externalId=5d5017c309cca27735a01e8d rt=1565530048750 start=1565530048750 end=1565530048750 msg=XXX connected to a VPN using abnormalComputer from ……..


Note that in the MCAS version of the alerts, the external ID field is the alert id, not the alert type id (which is what Azure ATP used).




@Astrid McClean ,


Thanks for that! is there a list of those ID's that we van map back to an Alert? like there is for the externalID in the syslog messages? as i assume it is still not advised to filter on descriptions as these might be updated.




@Astrid McClean I am having the same issues working with Log integration to an external SIEM, can you please help with how to get a list of available unique alert id 

@FrankM670 Did you manage to solve this ? can you please help with how you did ?


All the unique ids have now been documented here: 


See the Cloud App Security IDs tab for the names you see via MCAS and the Graph API.