Cloud App Security Alerts not in realtime?

%3CLINGO-SUB%20id%3D%22lingo-sub-548287%22%20slang%3D%22en-US%22%3ECloud%20App%20Security%20Alerts%20not%20in%20realtime%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-548287%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20recently%20started%20to%20leverage%20Cloud%20App%20Security%20as%20a%20component%20of%20our%20Security%20Operations%20and%20while%20testing%20the%20impossible%20travel%20policy%20with%20a%20custom%20targeted%20policy%20for%20non%20typical%20work%20locations%2C%20we've%20noticed%20a%20significant%20delay%20in%20the%20alert%20being%20shown%20on%20the%20dashboard%20versus%20when%20the%20event%20actually%20occurred.%20We've%20seen%20anything%20from%2090%20minutes%20or%20worse%20when%20we%20compare%20the%20Audit%20logs%20in%20O365%20and%20Azure%20for%20when%20our%20test%20users%20logged%20in%20from%20another%20location%20to%20the%20actual%20time%20we%20receive%20email%20notification%20from%20Cloud%20App%20Security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20we%20wait%20for%20a%20response%20from%20Cloud%20App%20Security%20support%2C%20I%20thought%20I%20might%20post%20here%20and%20see%20if%20anyone%20is%20having%20this%20same%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-548287%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-553439%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20Alerts%20not%20in%20realtime%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-553439%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F338114%22%20target%3D%22_blank%22%3E%40prnceofpwnge%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-557038%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20Alerts%20not%20in%20realtime%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-557038%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F338114%22%20target%3D%22_blank%22%3E%40prnceofpwnge%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20was%20testing%20DLP%20policies%2C%20I%20got%20kind%20of%20the%20opposite.%3CBR%20%2F%3EIf%20I%20add%20a%20file%20with%20for%20example%20credit%20card%20numbers%2C%20it%20takes%20almost%20two%20hours%20for%20the%20file%20to%20show%20up%20in%20MCAS%20(with%20the%20alert%20following%20soon%20after).%3CBR%20%2F%3EIf%20I%20however%20apply%20a%20policy%20on%20files%20that%20are%20already%20monitored%20in%20MCAS%2C%20the%20alert%20will%20show%20up%20in%20a%20few%20minutes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-557613%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20Alerts%20not%20in%20realtime%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-557613%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F338114%22%20target%3D%22_blank%22%3E%40prnceofpwnge%3C%2FA%3EI%20noticed%20the%20same%20thing%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Hi folks,

 

We've recently started to leverage Cloud App Security as a component of our Security Operations and while testing the impossible travel policy with a custom targeted policy for non typical work locations, we've noticed a significant delay in the alert being shown on the dashboard versus when the event actually occurred. We've seen anything from 90 minutes or worse when we compare the Audit logs in O365 and Azure for when our test users logged in from another location to the actual time we receive email notification from Cloud App Security.

 

While we wait for a response from Cloud App Security support, I thought I might post here and see if anyone is having this same issue.

3 Replies
Highlighted

@prnceofpwnge 

 

@Sebastien Molendijk: Is this something you can speak to? 

Highlighted

@prnceofpwnge 

When I was testing DLP policies, I got kind of the opposite.
If I add a file with for example credit card numbers, it takes almost two hours for the file to show up in MCAS (with the alert following soon after).
If I however apply a policy on files that are already monitored in MCAS, the alert will show up in a few minutes.

Highlighted

@prnceofpwngeI noticed the same thing