Forum Discussion
Yossi Basha
Microsoft
Jun 20, 2019Investigating identity threats in hybrid on prem and cloud environments
We are very happy to announce the new identity threat investigation experiance. Which is the integraiton of Azure ATP, Azure AD identity protection and MCAS - you can now get the security value of t...
David Caddick
Jun 25, 2019Iron Contributor
Hi Yossi Basha
Very interesting to see this working - it took me a while to find the Top 5 Identities to investigate by Priority - I would suggest this should have a more prominent place on the dashboard?
Question: Like Sentinel, would it be possible to "edit" the Dashboard &/or get details of the KQL that generates this, it would be great to understand how these are created
For those that have implemented MCAS and have yet to *enable* the Azure ATP integration - best to make sure you have all of your <Internal> IP Address's listed in MCAS > IP Address. It could be that we (I) did something stupid, but within the 12 hours or so of enabling this we were seeing loads of Alerts for "Login from outside Australia" even though the originating Client IP Address was internal 10.x.x.x
So it does seem that the MCAS Tool does not automatically assume that 10.x.x.x is internal, then as we were updating the <Internal> IP's it did occur to us that it's probably not a good idea to list the ADFS Server as Internal? Wouldn't we want incoming requests from this to be checked more closely?
jlouden
Jun 27, 2019Brass Contributor
Hey David Caddick
We didn't need to include internal IP ranges in MCAS. We only did the external IP's where MCAS would see traffic coming from, then we had fun adding all of our clients external IP's. ONce we had those two in-place MCAS correctly ID'd locations regardless of internal IP.
Cheers
JL
- David CaddickJun 27, 2019Iron Contributor
Hi jlouden,
Do you have inegration with Azure ATP turned on?
That seems to be the catalyst that started the "barrage" of misunderstanding about 10.x.x.x being an external address as far as the logic goes cause that's what the alerts are now saying...?
- jloudenJun 27, 2019Brass Contributor
Hey David Caddick
Yes, mind you we had all sorts of issue's getting that integration running, actually between wdatp, aata, and MCAS they just didn't play nice. In the end the PG team "reset" the 3, since then it has been running without issue. Just suffering portal fatigue while waiting for the Unified Console\portal to come along.
- David CaddickJun 27, 2019Iron Contributor
jlouden Aha - ATA, not Azure ATP? That makes sense, I'm suspecting that there is something going on here that is causing the 10.x.x.x to be flagged as external somehow. Have you also got Sentinel up and compared that to the MD ATP Advanced Threat hunting - I can't understand how two similar tools have such different UI's...