Forum Discussion
Investigating identity threats in hybrid on prem and cloud environments
Hi Yossi Basha
Very interesting to see this working - it took me a while to find the Top 5 Identities to investigate by Priority - I would suggest this should have a more prominent place on the dashboard?
Question: Like Sentinel, would it be possible to "edit" the Dashboard &/or get details of the KQL that generates this, it would be great to understand how these are created
For those that have implemented MCAS and have yet to *enable* the Azure ATP integration - best to make sure you have all of your <Internal> IP Address's listed in MCAS > IP Address. It could be that we (I) did something stupid, but within the 12 hours or so of enabling this we were seeing loads of Alerts for "Login from outside Australia" even though the originating Client IP Address was internal 10.x.x.x
So it does seem that the MCAS Tool does not automatically assume that 10.x.x.x is internal, then as we were updating the <Internal> IP's it did occur to us that it's probably not a good idea to list the ADFS Server as Internal? Wouldn't we want incoming requests from this to be checked more closely?
David Caddick thanks for sharing your insights.
Yes, the top users to investigate will soon become more prominent and will also be represented in more aspects of the product.
You are not able to edit the dashboard in MCAS but i'd love for you to share your asks in a direct message.
Thanks for the private IP address note, i'll work internally on that.