Home

Some of the alerts coming from Azure Security Center could use additional information

%3CLINGO-SUB%20id%3D%22lingo-sub-918666%22%20slang%3D%22en-US%22%3ESome%20of%20the%20alerts%20coming%20from%20Azure%20Security%20Center%20could%20use%20additional%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918666%22%20slang%3D%22en-US%22%3E%3CP%3EAt%20my%20client's%20site%20I%20am%20getting%20alerts%20from%20ASC%20(as%20well%20as%20MCAS%2C%20AD%20Identity%20Protection%2C%20and%20Azure%20ATP)%20and%20noticed%20that%20two%20of%20them%2C%20%22Logon%20by%20an%20unfamiliar%20principal%22%20and%20%22Logon%20from%20an%20unusual%20location%22%20don't%20list%20the%20user%20ID%20even%20though%20if%20I%20go%20into%20ASC%20I%20can%20see%20the%20user%20ID%20there.%26nbsp%3B%20It%20would%20make%20the%20alerts%20so%20much%20more%20useful%20if%20the%20user%20ID%20was%20passed%20along.%26nbsp%3B%20The%20IP%20Addresses%20are%20being%20sent%20so%20hopefully%20it%20would%20not%20be%20too%20hard%20to%20pass%20along%20the%20user%20ID.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20sure%20if%20it%20is%20possible%20but%20it%20would%20also%20be%20great%20to%20have%20a%20link%20back%20to%20the%20original%20alert.%26nbsp%3B%20Maybe%20as%20a%20comment%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918835%22%20slang%3D%22en-US%22%3ERE%3A%20Some%20of%20the%20alerts%20coming%20from%20Azure%20Security%20Center%20could%20use%20additional%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918835%22%20slang%3D%22en-US%22%3EI%20have%20spoken%20with%20someone%20from%20the%20product%20team%20and%20they%20will%20be%20looking%20into%20this%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968205%22%20slang%3D%22en-US%22%3ERE%3A%20Some%20of%20the%20alerts%20coming%20from%20Azure%20Security%20Center%20could%20use%20additional%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968205%22%20slang%3D%22en-US%22%3ELooks%20like%20it%20is%20happening%20already%20%3A)%3C%2Fimg%3E%20Noticed%20some%20MCAS%20alerts%20showing%20user%20information%20in%20the%20description%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

At my client's site I am getting alerts from ASC (as well as MCAS, AD Identity Protection, and Azure ATP) and noticed that two of them, "Logon by an unfamiliar principal" and "Logon from an unusual location" don't list the user ID even though if I go into ASC I can see the user ID there.  It would make the alerts so much more useful if the user ID was passed along.  The IP Addresses are being sent so hopefully it would not be too hard to pass along the user ID.

 

Note sure if it is possible but it would also be great to have a link back to the original alert.  Maybe as a comment?

2 Replies
Highlighted
I have spoken with someone from the product team and they will be looking into this :)
Highlighted
Looks like it is happening already :) Noticed some MCAS alerts showing user information in the description