When investigating a user and reviewing details on the UEBA page - for User contact information why can I not see the Users Mobile number - this is the most important detail I'm looking for to be able to "call" the user "out of band" of the Email/Teams/etc that may or may not be compromised to confirm if this is a FP, TP or BTP result. Under user there is an Object ID listed - this is a match to the specific "Object Id" for the user in Azure AD - even though under the AAD User Profile blade there is both the Office Phone and the Mobile phone listed for this user.Question - why can we not list the Users Mobile, or both - why whould we have this wonderfully easy UI that does all the hard work and then it does not even identify "what" Phone number it is, nor does it pull both thru? This does seem like it wasn't quite finished off perhaps? ;-(

Hi, David Caddick This is a good valuable, thanks for sharing. I just passed it around to the team in charge.

UEBA - User contact information | Microsoft Community Hub

6 Replies

Daniel Goltz
Microsoft
Apr 10, 2022
Hi David Caddick, Yoann_David_Mallet

This feature request was added to our product and has started to gradually roll out to our customers in Microsoft Defender for Cloud Apps. It should be available to all tenants in the upcoming period.

Thanks for the feedback!

Daniel
Dean_Gross
Silver Contributor
Aug 04, 2021
David, do you ever run into problems with the user name not displaying and only getting the ID?
- Chris_321
  Copper Contributor
  Mar 16, 2022
  Good morning Dean,
  I have the exact same problem, I have a user identified with his ID, but not with his name. I don't know if you have been able to see what the problem is?
  
  Dean_Gross
- David Caddick
  Iron Contributor
  Aug 08, 2021
  Hi Dean,
  
  No - but in all fairness the searching function in the MCAS UEBA is terrible.
  You are forced to use correct syntax of first.second in line with the email address and from what we have seen there is no way of using wildcard searches either - this is a pretty big ommission in our eyes
Yoann_David_Mallet
Microsoft
Feb 24, 2020
Hi, David Caddick

This is a good valuable, thanks for sharing. I just passed it around to the team in charge.
- David Caddick
  Iron Contributor
  Feb 25, 2020
  Yoann_David_Mallet Gal Zilberstein the one other aspect that would be Awesome in MCAS is to get Azure MFA & Conditional Access coming thru - this would enable a much better Alert/Incident filter to balance against "impossible Travel" Alerts.
  
  Thoughts:
  User X successfully logs in from outside <home country>
  IF CA fires & Azure MFA satisfied correctly --> mark as informational only
  IF CA fires & Azure MFA not satisfied --> mark as High Alert + Email directly to Admins + enact Governance tiggers to block/suspend User pending change of password & Azure MFA, etc...

Forum Discussion

UEBA - User contact information