SOLVED

PetitPotam - Defender For Identity Alert IDs

%3CLINGO-SUB%20id%3D%22lingo-sub-2788441%22%20slang%3D%22en-US%22%3EPetitPotam%20-%20Defender%20For%20Identity%20Alert%20IDs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2788441%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20blog%20indicates%20PetitPotam%20is%20now%20detected%20by%20Defender%20For%20Identity.%20But%20what%20is%20the%20corresponding%20Alert%20ID%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fpetitpotam-microsoft-defender-for-identity-has-it-covered%2Fba-p%2F2656271%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fpetitpotam-microsoft-defender-for-identity-has-it-covered%2Fba-p%2F2656271%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Alert%20IDs%20have%20not%20been%20updated%20since%20October%202020%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fsuspicious-activity-guide%3Ftabs%3Dcloud-app-security%23security-alert-name-mapping-and-unique-external-ids%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fsuspicious-activity-guide%3Ftabs%3Dcloud-app-security%23security-alert-name-mapping-and-unique-external-ids%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2788441%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDefender%20for%20Identity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPetitPotam%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2789824%22%20slang%3D%22en-US%22%3ERe%3A%20PetitPotam%20-%20Defender%20For%20Identity%20Alert%20IDs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2789824%22%20slang%3D%22en-US%22%3EThe%20alert%20ID%20for%20PetitPotam%20alert%20is%202416.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2790957%22%20slang%3D%22en-US%22%3ERe%3A%20PetitPotam%20-%20Defender%20For%20Identity%20Alert%20IDs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790957%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%2C%20thanks%20for%20the%20info.%20Please%20could%20you%20tell%20me%20the%20corresponding%20Cloud%20App%20Security%20ID%20for%20this%3F%20e.g.%202002%20%3D%3D%26nbsp%3B%3CSPAN%3EALERT_EXTERNAL_AATP_ABNORMAL_KERBEROS_OVERPASS_THE_HASH_SECURITY_ALERT%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20the%20documentation%20could%20be%20updated%20to%20include%20Alert%20IDs%202412-2416.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fsuspicious-activity-guide%3Ftabs%3Dcloud-app-security%23security-alert-name-mapping-and-unique-external-ids%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fsuspicious-activity-guide%3Ftabs%3Dcloud-app-security%23security-alert-name-mapping-and-unique-external-ids%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

This blog indicates PetitPotam is now detected by Defender For Identity. But what is the corresponding Alert ID? 

https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/petitpotam-microsoft-defende...

 

The Alert IDs have not been updated since October 2020:

https://docs.microsoft.com/en-us/defender-for-identity/suspicious-activity-guide?tabs=cloud-app-secu...

6 Replies
The alert ID for PetitPotam alert is 2416.

Hi @Eli Ofek, thanks for the info. Please could you tell me the corresponding Cloud App Security ID for this? e.g. 2002 == ALERT_EXTERNAL_AATP_ABNORMAL_KERBEROS_OVERPASS_THE_HASH_SECURITY_ALERT

 

Hopefully the documentation could be updated to include Alert IDs 2412-2416.

https://docs.microsoft.com/en-us/defender-for-identity/suspicious-activity-guide?tabs=cloud-app-secu...

I don' t know, but I pinged the relevant PM to check this out.
best response confirmed by RogerB1500 (New Contributor)
Solution
Refresh the docs page and let me know if you can find the missing id's now...
Perfect, thanks!
www.000webhost.com