Cannot find logs in Defender ATP for Discovered apps

%3CLINGO-SUB%20id%3D%22lingo-sub-1562335%22%20slang%3D%22en-US%22%3ECannot%20find%20logs%20in%20Defender%20ATP%20for%20Discovered%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1562335%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20and%20our%20customers%20experience%20inaccurate%20data%20in%20the%20discovered%20apps%20in%20MCAS.%3C%2FP%3E%3CP%3EFor%20example%3A%3CBR%20%2F%3E%3CEM%3EDiscovered%20Apps%20show%20the%20up-%20and%20download%20of%20the%20app%20%22Box%22%20for%20multiple%20clients.%20If%20we%20search%20for%20connections%20in%20Defender%20ATP%2C%20we%20cannot%20find%20any%20indication%20for%20Box.%20The%20URL%20is%20not%20used%20in%20any%20Defender%20ATP%20logs.%20We%20can't%20hunt%20on%20IP%20address%20base%2C%20because%20there%20are%20no%20information%20which%20IP%20Addresses%20are%20behind%20the%20box%20service.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20we%20bring%20the%20discovery%20and%20log%20data%20together%20for%20further%20investigation%3F%20If%20we%20can't%20hunt%20down%20the%20logs%20we%20can%20not%20stop%20data%20loss.%20We%20need%20a%20possibility%20to%20bring%20MCAS%20in%20correlation%20with%20Defender.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3Eyou%20have%20already%20answered%20the%20follwing%20post%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Fapps-seen-in-cloud-app-security-but-not-on-firewall%2Fm-p%2F128084%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Fapps-seen-in-cloud-app-security-but-not-on-firewall%2Fm-p%2F128084%3C%2FA%3E%3C%2FP%3E%3CP%3EMaybe%20you%20can%20assist%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1562335%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDefender%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

We and our customers experience inaccurate data in the discovered apps in MCAS.

For example:
Discovered Apps show the up- and download of the app "Box" for multiple clients. If we search for connections in Defender ATP, we cannot find any indication for Box. The URL is not used in any Defender ATP logs. We can't hunt on IP address base, because there are no information which IP Addresses are behind the box service.

 

How can we bring the discovery and log data together for further investigation? If we can't hunt down the logs we can not stop data loss. We need a possibility to bring MCAS in correlation with Defender.

 

@Niv Goldenbergyou have already answered the follwing post: https://techcommunity.microsoft.com/t5/microsoft-cloud-app-security/apps-seen-in-cloud-app-security-...

Maybe you can assist here.

0 Replies