MCAS Impossible Travel alert AND original O365 Impossible Travel alert

%3CLINGO-SUB%20id%3D%22lingo-sub-2728825%22%20slang%3D%22en-US%22%3EMCAS%20Impossible%20Travel%20alert%20AND%20original%20O365%20Impossible%20Travel%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2728825%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20O365%20security%20center%20sending%20alerts%20to%20our%203rd%20party%20SIEM%20through%20the%20management%20API.%3C%2FP%3E%3CP%3EMCAS%20sees%20the%20same%20O365%20alert%20-%20when%20MCAS%20is%20integrated%20with%20the%20SIEM%2C%20will%20both%20alerts%20be%20seen%20by%20the%20SIEM%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2728825%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2731457%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Impossible%20Travel%20alert%20AND%20original%20O365%20Impossible%20Travel%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731457%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F903872%22%20target%3D%22_blank%22%3E%40DJB%3C%2FA%3E%26nbsp%3BThis%20probably%20depends%20on%20the%20SIEM%20solution.%20Usually%20what%20happens%20is%20that%20both%20services%20are%20being%20ingested%20with%20different%20connectors%20or%20whatever%20they're%20called%20for%20your%20SIEM.%20In%20that%20sense%2C%20the%20SIEM%20needs%20to%20be%20able%20to%20determine%20that%20it's%20the%20same%20alert%20if%20both%20alerts%20come%20in%20via%20a%20different%20route.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2731653%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Impossible%20Travel%20alert%20AND%20original%20O365%20Impossible%20Travel%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731653%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20reply!%20Appreciated.%3CBR%20%2F%3EOur%20MCAS%20deployment%20is%20in%20the%20early%20stages%20-%20will%20do%20some%20further%20analysis%20on%20what%20the%20SIEM%20ingests%20and%20how%20it's%20presented.%3C%2FLINGO-BODY%3E
New Contributor

Hello, 

 

we have O365 security center sending alerts to our 3rd party SIEM through the management API.

MCAS sees the same O365 alert - when MCAS is integrated with the SIEM, will both alerts be seen by the SIEM?  

2 Replies

@DJB This probably depends on the SIEM solution. Usually what happens is that both services are being ingested with different connectors or whatever they're called for your SIEM. In that sense, the SIEM needs to be able to determine that it's the same alert if both alerts come in via a different route.

Thanks for the reply! Appreciated.
Our MCAS deployment is in the early stages - will do some further analysis on what the SIEM ingests and how it's presented.
www.000webhost.com