cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Created Policy - What is the difference: Alerts vs Activity?

SergioT1228
Brass Contributor

‎Sep 23 2020 10:24 AM

‎Sep 23 2020 10:24 AM

Created Policy - What is the difference: Alerts vs Activity?

I have created a policy for Failed Log on and when I check my alerts, I see 10.  But when I look at the activity log and run the query based off of the policy I created, there are over 5,000.  Additionally, when I search for one of the Alerts in the activity log, I'm unable to find that action.  I would think all of the 10 Alerts should be found in the Activity log.  Please help with the understanding of the difference.

 

Cheers,

Serge

795 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by SergioT1228 (Brass Contributor)
Caroline_Lee

‎Sep 24 2020 06:19 AM

‎Sep 24 2020 06:19 AM

Solution

Re: Created Policy - What is the difference: Alerts vs Activity?

@SergioT1228 Great question! The activity log will be a view of all the activities performed in your connected applications. This could range from a log on, file download, task creation, etc where as an alert will notify you of a potential threat in your cloud environment.

 

The reason why you may be seeing more failed log ons in activity log vs. in the alert panel is because sometimes failed logins can be normal behavior (i.e. user forgetting their password). This could also depend on how you've scoped your policy i.e. alert on 10 repeated failed log-ons in a 5 min time interval would only result in 1 alert but 10 entries in activity log. There is also specific anomaly detection policy based off of User Entity Behavior Analytics (UEBA), where MCAS studies the behavior of the user for 7 days and establishes a baseline for each user and will alert on any unusual behavior. 

 

Investigating multiple failed logon attempts: https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts#multiple-failed-login...

Activities in MCAS: https://docs.microsoft.com/en-us/cloud-app-security/activity-filters

 

Does that answer your question?

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by SergioT1228 (Brass Contributor)
Caroline_Lee

‎Sep 24 2020 06:19 AM

‎Sep 24 2020 06:19 AM

Solution

Re: Created Policy - What is the difference: Alerts vs Activity?

@SergioT1228 Great question! The activity log will be a view of all the activities performed in your connected applications. This could range from a log on, file download, task creation, etc where as an alert will notify you of a potential threat in your cloud environment.

 

The reason why you may be seeing more failed log ons in activity log vs. in the alert panel is because sometimes failed logins can be normal behavior (i.e. user forgetting their password). This could also depend on how you've scoped your policy i.e. alert on 10 repeated failed log-ons in a 5 min time interval would only result in 1 alert but 10 entries in activity log. There is also specific anomaly detection policy based off of User Entity Behavior Analytics (UEBA), where MCAS studies the behavior of the user for 7 days and establishes a baseline for each user and will alert on any unusual behavior. 

 

Investigating multiple failed logon attempts: https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts#multiple-failed-login...

Activities in MCAS: https://docs.microsoft.com/en-us/cloud-app-security/activity-filters

 

Does that answer your question?

View solution in original post

1 Like
Reply