Azure Security Center and MCAS

%3CLINGO-SUB%20id%3D%22lingo-sub-1506119%22%20slang%3D%22en-US%22%3EAzure%20Security%20Center%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506119%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20would%20like%20to%20underrated%20if%20alerts%20in%20Azure%20Security%20Center%20and%20MCAS%20are%20related.%20For%20example%20MCAS%20alert%3A%20Impossible%20travel%20activity%20and%20Azure%20Unfamiliar%20sign-in%20properties%20or%20Atypical%20travel.%20The%20issue%20for%20us%20is%20to%20monitor%20both%20environments%20for%20these%20same%20activities.%20There%20is%20more%20examples%20I%20can%20add%20but%20first%2C%20we%20need%20to%20understand%20if%20we%20can%20concentrate%20on%20MCAS%20only%20and%20do%20not%20lose%20any%20visibility.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1506119%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1514028%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Security%20Center%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1514028%22%20slang%3D%22en-US%22%3EIt%20depends%20on%20the%20alerts%2C%20MCAS%20integrates%20with%20AAD%20Identity%20Protection%20to%20provide%20a%20consistent%20monitoring%20of%20impossible%20travel%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faadip-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faadip-integration%3C%2FA%3E%20and%20with%20Azure%20ATP%20to%20monitor%20unexpected%20user%20behavior%20on%20your%20networks%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faatp-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Faatp-integration%3C%2FA%3E%3CBR%20%2F%3E.%20ASC%20monitors%20a%20lot%20of%20events%20from%20your%20azure%20subscriptions%20that%20are%20not%20shown%20in%20MCAS%2C%20.%20You%20can%20use%20Azure%20Sentinel%20to%20monitor%20MCAS%20and%20ASC%20in%20one%20place.%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsiem-sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsiem-sentinel%3C%2FA%3E%20to%20get%20started%20or%20get%20my%20colleagues%20book%20%3CA%20href%3D%22https%3A%2F%2Fwww.amazon.com%2Fdp%2FB0859C7L1G%2Fref%3Ddp-kindle-redirect%3F_encoding%3DUTF8%26amp%3Bbtkr%3D1%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.amazon.com%2Fdp%2FB0859C7L1G%2Fref%3Ddp-kindle-redirect%3F_encoding%3DUTF8%26amp%3Bbtkr%3D1%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1518545%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Security%20Center%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1518545%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3EThanks%20but%20this%20is%20not%20the%20answer%20I'm%20looking%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521045%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Security%20Center%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F437026%22%20target%3D%22_blank%22%3E%40milchl%3C%2FA%3E%26nbsp%3Bsorry%20about%20that%2C%20not%20sure%20what%20answer%20you%20are%20looking%20for%2C%20but%20this%20may%20be%20helpful%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F07%2F09%2Finside-microsoft-threat-protection-correlating-and-consolidating-attacks-into-incidents%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F07%2F09%2Finside-microsoft-threat-protection-correlating-and-consolidating-attacks-into-incidents%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We would like to underrated if alerts in Azure Security Center and MCAS are related. For example MCAS alert: Impossible travel activity and Azure Unfamiliar sign-in properties or Atypical travel. The issue for us is to monitor both environments for these same activities. There is more examples I can add but first, we need to understand if we can concentrate on MCAS only and do not lose any visibility.

3 Replies
It depends on the alerts, MCAS integrates with AAD Identity Protection to provide a consistent monitoring of impossible travel, see https://docs.microsoft.com/en-us/cloud-app-security/aadip-integration and with Azure ATP to monitor unexpected user behavior on your networks, see https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration
. ASC monitors a lot of events from your azure subscriptions that are not shown in MCAS, . You can use Azure Sentinel to monitor MCAS and ASC in one place. see https://docs.microsoft.com/en-us/cloud-app-security/siem-sentinel to get started or get my colleagues book https://www.amazon.com/dp/B0859C7L1G/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 @Gary Bushey

@Dean GrossThanks but this is not the answer I'm looking for.

 

@milchl sorry about that, not sure what answer you are looking for, but this may be helpful https://www.microsoft.com/security/blog/2020/07/09/inside-microsoft-threat-protection-correlating-an...