Forum Discussion
Finding MCAS Policy Changes
Background: I've got these connectors to Sentinel working...
Microsoft 365 Defender (Preview)
Office 365
and I wan to alert on changes made to MCAS policies, which I would think would appear in the former. But I'm not seeing them. For example, I had an alert on the Remote Code Execution Attempt policy. It was legitimate activity, so I edited the policy to make an exception. I want to see an audit trail of that exception but I'm not finding it in Sentinel. Any ideas?
1 Reply
- By default this is not in the current connectors.
You should see this in the Unified Audit log of Office 365. There isn't a default connector for this, but there are plently of solutions available
Check out this URL: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-protect-office-365-with-azure-sentinel/ba-p/1656939
