Consume Azure ATP alerts via Microsoft Graph API


Wondering how to consume your Azure ATP alerts? Check out our Microsoft Graph API integration.


Once you enable our integration with Cloud App Security, all Azure ATP alerts can be consumed through the API.


For each alert you get its title, description, and entities.


Please share your feedback with us!

3 Replies

Hi @Tali Ash, the link is a 404. Is there updated documentation for integration?



You need to share telemetry between Defender for Identity and MCAS -> see integration here





then you can consume those 40~ alerts using MS-Graph API. All 40~ Defender for Identity / Azure ATP alerts -->


Then use the MS-Graph API to receive those events in a nice format -->


Here is the info-note:

*** Microsoft Defender for Identity alerts are available via the Microsoft Cloud App Security integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Cloud App Security. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Cloud App Security.

@BillTheKid , do you know how to link MCAS alerts to Defender Identity ATP? Is there any ID?


I got data from MCAS API but it's not clear to me how to map to ATP, I couldn't see the id used on ATP on MCAS logs.



"_id": "60e57XXXXXXXXXXfe4b4dfc5",
"description": "An actor on Windows10 performed suspicious account enumeration",
"entities": [