Hi all, I am currently working on parsing Azure AD, office 365 and Defender ATP logs routed through MCAS for a custom SIEM I seem to be having some issues with finding the ExternalID Field in the logs. I read somewhere on this forum that when using MCAS unique alert idis used instaed.
2019-08-11T13:27:28.750Z CEF:0|MCAS|SIEM_Agent|0.156.145|ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT|Suspicious VPN Connection|6|externalId=5d5017c309cca27735a01e8d rt=1565530048750 start=1565530048750 end=1565530048750 msg=XXX connected to a VPN using abnormalComputer ....
Does Microsoft provide a list or page of the available unique alert id's ??