Forum Discussion

Yossi Basha's avatar
Yossi Basha
Icon for Microsoft rankMicrosoft
Jun 20, 2019

Investigating identity threats in hybrid on prem and cloud environments

We are very happy to announce the new identity threat investigation experiance.
Which is the integraiton of Azure ATP, Azure AD identity protection and MCAS - you can now get the security value of these three identity focused security products in the same portal.

https://www.microsoft.com/security/blog/2019/06/20/investigating-identity-threats-hybrid-cloud-environments/

We would love to get your insights!

  • jlouden's avatar
    jlouden
    Brass Contributor
    Hi Yossi, Any plans to folder in alerts\events from 365 security, eg ZAP'd emailed that was found in a users inbox? Regards John L
    • Yossi Basha's avatar
      Yossi Basha
      Icon for Microsoft rankMicrosoft

      jlouden Yes, we are working to get alerts and activities from more M365 sources into the investigation priority engine.

  • Hi Yossi Basha 

    Very interesting to see this working - it took me a while to find the Top 5 Identities to investigate by Priority - I would suggest this should have a more prominent place on the dashboard?

     

    Question: Like Sentinel, would it be possible to "edit" the Dashboard &/or get details of the KQL that generates this, it would be great to understand how these are created 

     

    For those that have implemented MCAS and have yet to *enable* the Azure ATP integration - best to make sure you have all of your <Internal> IP Address's listed in MCAS > IP Address. It could be that we (I) did something stupid, but within the 12 hours or so of enabling this we were seeing loads of Alerts for "Login from outside Australia" even though the originating Client IP Address was internal 10.x.x.x

     

    So it does seem that the MCAS Tool does not automatically assume that 10.x.x.x is internal, then as we were updating the <Internal> IP's it did occur to us that it's probably not a good idea to list the ADFS Server as Internal? Wouldn't we want incoming requests from this to be checked more closely?

    • jlouden's avatar
      jlouden
      Brass Contributor

      Hey David Caddick 

       

      We didn't need to include internal IP ranges in MCAS. We only did the external IP's where MCAS would see traffic coming from, then we had fun adding all of our clients external IP's. ONce we had those two in-place MCAS correctly ID'd locations regardless of internal IP.

       

      Cheers

      JL

      • David Caddick's avatar
        David Caddick
        Iron Contributor

        Hi jlouden,

         

        Do you have inegration with Azure ATP turned on?

        That seems to be the catalyst that started the "barrage" of misunderstanding about 10.x.x.x being an external address as far as the logic goes cause that's what the alerts are now saying...? 

    • Yossi Basha's avatar
      Yossi Basha
      Icon for Microsoft rankMicrosoft

      David Caddick thanks for sharing your insights.

      Yes, the top users to investigate will soon become more prominent and will also be represented in more aspects of the product.

      You are not able to edit the dashboard in MCAS but i'd love for you to share your asks in a direct message.

      Thanks for the private IP address note, i'll work internally on that.

  • bbhorrigan's avatar
    bbhorrigan
    Brass Contributor

    Very well put together.

    Reading thru the documentation here.

    https://docs.microsoft.com/en-us/cloud-app-security/tutorial-ueba

     

    I was curious if there is anymore information that describes how the priority score is created?

     

    "Use the Investigation priority score to determine which users to investigate first. Cloud App Security builds user profiles for each user based on analytics that take time, peer groups, and expected user activity into consideration. Activity that is anomalous to a user's baseline is evaluated and scored. "

    Yossi Basha 

    • NormAndersch's avatar
      NormAndersch
      Copper Contributor

      @Yossi Basha  _ Hey never mind  I just discovered that you can edit  / view the policy by selecting  adjust policy on  the alert  

Resources