Background: We have seen some updates to the Defender platform in our tenant this week. Additionally, we did some testing with Azure Sentinel over the weekend, thus unfortunately, we are not sure of any possible interference there. Additional sentinel connectors have been disabled after round of testing.
Process to replicate: Investigate risky users, starting with M365 Security as an entry point. This routes to Risky users in azure. Select and entry, then select Investigate with Azure ATP. This lands in MCAS under the user, and there are no alerts or user activity listed. Questions: Does connecting to sentinel alter the internal/default behaviors of the features/systems themselves, such as MCAS, MDE, OATP, etc.? Is there a baseline or documented default or recommendations for MCAS alert/activity settings/policies? (I noticed that alert suppression for "Risky sign-in" is now set to "High")