Risky user activity not showing in MCAS

Gregle 1 Reputation point
2021-02-10T03:33:16.18+00:00

Background: We have seen some updates to the Defender platform in our tenant this week. Additionally, we did some testing with Azure Sentinel over the weekend, thus unfortunately, we are not sure of any possible interference there. Additional sentinel connectors have been disabled after round of testing.
Process to replicate: Investigate risky users, starting with M365 Security as an entry point. This routes to Risky users in azure. Select and entry, then select Investigate with Azure ATP. This lands in MCAS under the user, and there are no alerts or user activity listed. Questions: Does connecting to sentinel alter the internal/default behaviors of the features/systems themselves, such as MCAS, MDE, OATP, etc.? Is there a baseline or documented default or recommendations for MCAS alert/activity settings/policies? (I noticed that alert suppression for "Risky sign-in" is now set to "High")

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-02-10T23:45:29.41+00:00

    Hi @TheGregle-0373,

    How long did you have the Sentinel connectors enabled? It may take 24 hours for the data to show up after enabling a connector. I'm not sure if there's a conflict (checking with the Sentinel team on that one), but it looks like someone with a similar issue was able to get these by querying for the alerts. 

    // who is providing alerts
SecurityAlert
| summarize count() by ProviderName

// which alerts and names, sorted by severity
SecurityAlert
| summarize count() by ProviderName, AlertName, AlertSeverity 
| sort by AlertSeverity desc
    0 comments