Forum Discussion

SergioT1228's avatar
SergioT1228
Brass Contributor
Feb 15, 2023

Depricated MDI ATP Portal - Scheduled reports

Hello, I see that the Classic ATP (atp.azure.com) will be redirecting to the Security portal.  However I'm curious about the Scheduled reports we have set up for Lateral movements and Summary.  I don't see a direct correlation in the Security portal for those style of reports.  What is the recommendation to schedule reports in the Security portal or at least setup within the Security portal to view?

 

Thank you,

Serge

  • josequintino's avatar
    josequintino
    Iron Contributor
    SergioT1228 You're correct that Azure Advanced Threat Protection (ATP) is now integrated into the Microsoft Defender for Identity within the Microsoft 365 Defender portal (security.microsoft.com). While the transition brings many new features and an improved user experience, there might be some differences in the available reports.
    To view the reports related to lateral movement and summary in the Microsoft 365 Defender portal, follow these steps:
    1- Go to the Microsoft 365 Defender portal (security.microsoft.com) and sign in with your credentials.
    2- In the left navigation pane, click on Incidents & alerts.
    3- You can apply filters to focus on specific alerts related to lateral movement paths, such as Suspicious lateral movement using remote execution, Pass-the-Ticket, or Pass-the-Hash.

    You can also investigate specific entities (users, devices, etc.) and view the relevant information about them.

    Unfortunately, as of now, there isn't a direct way to schedule reports like the ones you had in Azure ATP within the Microsoft 365 Defender portal. However, you can leverage the Microsoft Graph Security API to create custom reports and schedule them as needed.

    To use the Microsoft Graph Security API:
    1- Register an application in Azure AD and grant the necessary permissions.
    2- Use the API to fetch alerts and related information from the Microsoft 365 Defender portal.
    3- Create custom reports using the fetched data and schedule them to be sent via email or any other preferred method.
    • StuartH .'s avatar
      StuartH .
      Brass Contributor

      josequintino I am a little stunned that Microsoft are just yanking [very used] features away, and think that is acceptable. I see the portal notice (saying Jan 31) is now replaced with July 31 - surely that is time enough to get a satisfactory solution in place ?  Atleast expand on this and come up with something workable for all of your customers, and not making us do the work:

       

      "To use the Microsoft Graph Security API:
      1- Register an application in Azure AD and grant the necessary permissions.
      2- Use the API to fetch alerts and related information from the Microsoft 365 Defender portal.
      3- Create custom reports using the fetched data and schedule them to be sent via email or any other preferred method."

       

      It just seems like you are dropping a lot of the good features that we purchased Azure ATP (MDI) for

      • josequintino's avatar
        josequintino
        Iron Contributor
        Hello @StuartH I understand your concerns regarding Microsoft's decision to remove certain features from Azure ATP (MDI). While I am not a Microsoft representative, I can attempt to provide some context and potential suggestions for addressing these changes.

        Firstly, it's important to acknowledge that technology companies like Microsoft often make decisions to remove, modify, or replace features based on factors like market demand, product strategy, or shifting priorities. While these decisions can be frustrating for customers, they are usually made with the goal of improving the overall product experience.

        Regarding the Microsoft Graph Security API, the three steps you mentioned can help you continue accessing the features you need:

        1- Registering an application in Azure AD and granting permissions: This is a one-time setup process that enables your application to interact with the Microsoft Graph Security API. You can follow Microsoft's official documentation to guide you through this process.
        2- Fetching alerts and related information: With your application registered and permissions granted, you can use the API to fetch alerts and related data from the Microsoft 365 Defender portal. This will allow you to continue monitoring your environment and taking necessary actions to ensure security.
        3- Creating custom reports: You can use the fetched data to create custom reports tailored to your organization's needs. This way, you can maintain visibility and control over the aspects that are most important to you.

        While these steps do require some additional work from your end, they provide a way to adapt to the changes introduced by Microsoft. Additionally, consider reaching out to Microsoft Support for further assistance and providing feedback on your concerns. This can help Microsoft understand the needs of their customers and potentially make changes based on this feedback.

        In the meantime, you might explore alternative solutions or third-party tools that could help you achieve your desired functionality with Azure ATP (MDI).
  • A lateral movement path report is covered by the ISPM assessments. You can find more details here: https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-riskiest-lmp
    Regarding Summary report, the health issues are available in M365D Settings > Identities > Health issues, and a summary of alerts can be found by exporting the alerts queue or using Advanced Hunting (30 days of data).
    As of now, the security.microsoft.com portal does not support Schedules reports. I'll be happy if you can contact me directly by mail (t-lshapira@microsoft.com) so I can further understand your needs.

    • StuartH .'s avatar
      StuartH .
      Brass Contributor

      There seems to be a few threads on a similar subject (new portal transition and losing "features"), so was not sure where to post in reply. LiorShapira you seem happy to want the feedback...

       

      The only scheduled report we use DAILY is the Modifications to sensitive groups, and if you think logically about that, it is a rational report that is useful on a schedule. MDI has seemingly good logic in what these are, and being informed by push notification is exceedingly important (be even better if we didn't get emailed when there are ZERO entries in there, but hey!)...one does not want to have to run an adhoc query to do that - it is a backward step. Currently, I think the suggestion as  a "workaround" is to run the Advanced Hunting query and define the groups your are interested in - that is not workable at all.  This alone would stop us moving to the new portal, as pathetic as that seems.  FWIW, I actually like the new portal...just struggling to find things. I know there is a mapping table to show where things are...but it doesn't say what is missing or being thought about  !

      • LiorShapira's avatar
        LiorShapira
        Icon for Microsoft rankMicrosoft

        StuartH . Thanks for your feedback, I appreciate it.  We will take it into account and will make sure to update the documentation. 

Resources