Home

Some of the alerts coming from Azure Security Center could use additional information

%3CLINGO-SUB%20id%3D%22lingo-sub-918666%22%20slang%3D%22en-US%22%3ESome%20of%20the%20alerts%20coming%20from%20Azure%20Security%20Center%20could%20use%20additional%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918666%22%20slang%3D%22en-US%22%3E%3CP%3EAt%20my%20client's%20site%20I%20am%20getting%20alerts%20from%20ASC%20(as%20well%20as%20MCAS%2C%20AD%20Identity%20Protection%2C%20and%20Azure%20ATP)%20and%20noticed%20that%20two%20of%20them%2C%20%22Logon%20by%20an%20unfamiliar%20principal%22%20and%20%22Logon%20from%20an%20unusual%20location%22%20don't%20list%20the%20user%20ID%20even%20though%20if%20I%20go%20into%20ASC%20I%20can%20see%20the%20user%20ID%20there.%26nbsp%3B%20It%20would%20make%20the%20alerts%20so%20much%20more%20useful%20if%20the%20user%20ID%20was%20passed%20along.%26nbsp%3B%20The%20IP%20Addresses%20are%20being%20sent%20so%20hopefully%20it%20would%20not%20be%20too%20hard%20to%20pass%20along%20the%20user%20ID.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20sure%20if%20it%20is%20possible%20but%20it%20would%20also%20be%20great%20to%20have%20a%20link%20back%20to%20the%20original%20alert.%26nbsp%3B%20Maybe%20as%20a%20comment%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918835%22%20slang%3D%22en-US%22%3ERE%3A%20Some%20of%20the%20alerts%20coming%20from%20Azure%20Security%20Center%20could%20use%20additional%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918835%22%20slang%3D%22en-US%22%3EI%20have%20spoken%20with%20someone%20from%20the%20product%20team%20and%20they%20will%20be%20looking%20into%20this%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968205%22%20slang%3D%22en-US%22%3ERE%3A%20Some%20of%20the%20alerts%20coming%20from%20Azure%20Security%20Center%20could%20use%20additional%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968205%22%20slang%3D%22en-US%22%3ELooks%20like%20it%20is%20happening%20already%20%3A)%3C%2Fimg%3E%20Noticed%20some%20MCAS%20alerts%20showing%20user%20information%20in%20the%20description%3C%2FLINGO-BODY%3E
Gary Bushey
Contributor

At my client's site I am getting alerts from ASC (as well as MCAS, AD Identity Protection, and Azure ATP) and noticed that two of them, "Logon by an unfamiliar principal" and "Logon from an unusual location" don't list the user ID even though if I go into ASC I can see the user ID there.  It would make the alerts so much more useful if the user ID was passed along.  The IP Addresses are being sent so hopefully it would not be too hard to pass along the user ID.

 

Note sure if it is possible but it would also be great to have a link back to the original alert.  Maybe as a comment?

2 Replies
I have spoken with someone from the product team and they will be looking into this :)
Looks like it is happening already :) Noticed some MCAS alerts showing user information in the description
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies