Consume Azure ATP alerts via Microsoft Graph API

Microsoft

Wondering how to consume your Azure ATP alerts? Check out our Microsoft Graph API integration.

 

Once you enable our integration with Cloud App Security, all Azure ATP alerts can be consumed through the API.

 

For each alert you get its title, description, and entities.

 

Please share your feedback with us!

3 Replies

Hi @Tali Ash, the https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration link is a 404. Is there updated documentation for integration?

@mstair 

 

You need to share telemetry between Defender for Identity and MCAS -> see integration here

1) https://docs.microsoft.com/en-US/cloud-app-security/mdi-integration

and

2) https://docs.microsoft.com/en-US/defender-for-identity/mcas-integration

 

then you can consume those 40~ alerts using MS-Graph API. All 40~ Defender for Identity / Azure ATP alerts --> https://docs.microsoft.com/en-US/defender-for-identity/suspicious-activity-guide?tabs=external

 

Then use the MS-Graph API to receive those events in a nice format --> https://docs.microsoft.com/en-US/graph/api/resources/security-api-overview?view=graph-rest-1.0

 

Here is the info-note:

*** Microsoft Defender for Identity alerts are available via the Microsoft Cloud App Security integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Cloud App Security. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Cloud App Security.

@BillTheKid , do you know how to link MCAS alerts to Defender Identity ATP? Is there any ID?

 

I got data from MCAS API but it's not clear to me how to map to ATP, I couldn't see the id used on ATP on MCAS logs.

 

E.g

{
"_id": "60e57XXXXXXXXXXfe4b4dfc5",
"contextId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"description": "An actor on Windows10 performed suspicious account enumeration",
"entities": [