Mar 11 2020 04:53 AM - edited Feb 07 2021 02:03 AM
Wondering how to consume your Azure ATP alerts? Check out our Microsoft Graph API integration.
Once you enable our integration with Cloud App Security, all Azure ATP alerts can be consumed through the API.
For each alert you get its title, description, and entities.
Please share your feedback with us!
Feb 05 2021 01:16 PM
Hi @Tali Ash, the https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration link is a 404. Is there updated documentation for integration?
Feb 06 2021 06:28 AM - edited Feb 06 2021 06:29 AM
You need to share telemetry between Defender for Identity and MCAS -> see integration here
1) https://docs.microsoft.com/en-US/cloud-app-security/mdi-integration
and
2) https://docs.microsoft.com/en-US/defender-for-identity/mcas-integration
then you can consume those 40~ alerts using MS-Graph API. All 40~ Defender for Identity / Azure ATP alerts --> https://docs.microsoft.com/en-US/defender-for-identity/suspicious-activity-guide?tabs=external
Then use the MS-Graph API to receive those events in a nice format --> https://docs.microsoft.com/en-US/graph/api/resources/security-api-overview?view=graph-rest-1.0
Here is the info-note:
*** Microsoft Defender for Identity alerts are available via the Microsoft Cloud App Security integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Cloud App Security. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Cloud App Security.
Dec 07 2021 06:15 AM
@BillTheKid , do you know how to link MCAS alerts to Defender Identity ATP? Is there any ID?
I got data from MCAS API but it's not clear to me how to map to ATP, I couldn't see the id used on ATP on MCAS logs.
E.g
{
"_id": "60e57XXXXXXXXXXfe4b4dfc5",
"contextId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"description": "An actor on Windows10 performed suspicious account enumeration",
"entities": [