Nov 21 2018 01:12 PM
Hi,
Why would CAS stop logging events initiated by systems other than devices?
We have run tests from a few different scripts today, none of which got picked up in CAS:
We have heard from a customer who talked w/ support that signals from devices are the only thing that will get logged now. But since bad actors are using automation/scripts, we need to be able to track such signals in CAS.
Dec 02 2018 01:06 PM
Hi Chris,
Thanks for reaching out. There hasn't been any changes in Cloud App Security related to auditing & user agent. Per the below documentation, the commands you referenced are not part of audited events therefore not visible in CAS or in SCC.
Thanks
Shalini
Dec 04 2018 04:26 AM
Hi,
Is “Send-MailMessage” an event that is logged by Cloud App Security? We know it *used to be* because the creator of “PhishHunter” (Steve @ MSFT) used it to demonstrate how when it’s run against an acct, it creates an event that will then remediate an acct.
Dec 18 2018 06:57 AM
We have a live situation where several hundred events are being missed in the same timeframe. An acct was compromised, and is being accessed from Russia using the SMTP service (i.e. from some scripted method).
CAS (which is pulling form the Azure AD audit logs), has nothing at all for that IP, and none of it is captured in the CAS (or audit) logs.
Is CAS supposed to log events from scripts, or just physical devices?