@mstair 

You need to share telemetry between Defender for Identity and MCAS -> see integration here

1) https://docs.microsoft.com/en-US/cloud-app-security/mdi-integration

and

2) https://docs.microsoft.com/en-US/defender-for-identity/mcas-integration

then you can consume those 40~ alerts using MS-Graph API. All 40~ Defender for Identity / Azure ATP alerts --> https://docs.microsoft.com/en-US/defender-for-identity/suspicious-activity-guide?tabs=external

Then use the MS-Graph API to receive those events in a nice format --> https://docs.microsoft.com/en-US/graph/api/resources/security-api-overview?view=graph-rest-1.0

Here is the info-note:

*** Microsoft Defender for Identity alerts are available via the Microsoft Cloud App Security integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Cloud App Security. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Cloud App Security.

@BillTheKid , do you know how to link MCAS alerts to Defender Identity ATP? Is there any ID?

I got data from MCAS API but it's not clear to me how to map to ATP, I couldn't see the id used on ATP on MCAS logs.

E.g

{
"_id": "60e57XXXXXXXXXXfe4b4dfc5",
"contextId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"description": "An actor on Windows10 performed suspicious account enumeration",
"entities": [