Hi Frank,


While the ExternalID is not available in the MCAS version of the syslog alert, today the unique alert id is available. For example:


2019-08-11T13:27:28.750Z CEF:0|MCAS|SIEM_Agent|0.156.145|ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT|Suspicious VPN Connection|6|externalId=5d5017c309cca27735a01e8d rt=1565530048750 start=1565530048750 end=1565530048750 msg=XXX connected to a VPN using abnormalComputer from ……..


Note that in the MCAS version of the alerts, the external ID field is the alert id, not the alert type id (which is what Azure ATP used).