question

TheGregle-0373 avatar image
0 Votes"
TheGregle-0373 asked MarileeTurscak-MSFT answered

Risky user activity not showing in MCAS

Background: We have seen some updates to the Defender platform in our tenant this week. Additionally, we did some testing with Azure Sentinel over the weekend, thus unfortunately, we are not sure of any possible interference there. Additional sentinel connectors have been disabled after round of testing.
Process to replicate: Investigate risky users, starting with M365 Security as an entry point. This routes to Risky users in azure. Select and entry, then select Investigate with Azure ATP. This lands in MCAS under the user, and there are no alerts or user activity listed. Questions: Does connecting to sentinel alter the internal/default behaviors of the features/systems themselves, such as MCAS, MDE, OATP, etc.? Is there a baseline or documented default or recommendations for MCAS alert/activity settings/policies? (I noticed that alert suppression for "Risky sign-in" is now set to "High")

azure-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @TheGregle-0373,

How long did you have the Sentinel connectors enabled? It may take 24 hours for the data to show up after enabling a connector. I'm not sure if there's a conflict (checking with the Sentinel team on that one), but it looks like someone with a similar issue was able to get these by querying for the alerts.

 // who is providing alerts
 SecurityAlert
 | summarize count() by ProviderName
    
 // which alerts and names, sorted by severity
 SecurityAlert
 | summarize count() by ProviderName, AlertName, AlertSeverity 
 | sort by AlertSeverity desc 


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.