Home

Cloud App Security

%3CLINGO-SUB%20id%3D%22lingo-sub-400884%22%20slang%3D%22en-US%22%3ECloud%20App%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-400884%22%20slang%3D%22en-US%22%3E%3CP%3ESecurity%20Alerts%20generated%20from%20MCAS%20should%20contain%20the%20user%20principal%20name%20and%20IP%20address%20as%20fields%2C%20at%20a%20minimum.%26nbsp%3B%20In%20some%20alerts%20this%20info%20is%20in%20the%20entities%20field%2C%20but%20it%20is%20difficult%20to%20extract%20into%20its%20own%20field.%26nbsp%3B%20In%20other%20alerts%20it%20is%20not%20present.%26nbsp%3B%20Should%20be%20their%20own%20field%20to%20make%20building%20alert%20rules%20and%20automation%20easier.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I%20would%20like%20the%20ability%20to%20query%20the%20events%20that%20show%20up%20in%20the%20Activity%20Log%20in%20MCAS%20in%20Sentinel%20to%20build%20custom%20alert%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-408936%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-408936%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECC%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
andrew_bryant
Contributor

Security Alerts generated from MCAS should contain the user principal name and IP address as fields, at a minimum.  In some alerts this info is in the entities field, but it is difficult to extract into its own field.  In other alerts it is not present.  Should be their own field to make building alert rules and automation easier.

 

Also, I would like the ability to query the events that show up in the Activity Log in MCAS in Sentinel to build custom alert rules.

1 Reply
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies