SOLVED

MCAS - Activity Log - Duration - how many days of logs visible from point of setup?

%3CLINGO-SUB%20id%3D%22lingo-sub-1206569%22%20slang%3D%22en-US%22%3EMCAS%20-%20Activity%20Log%20-%20Duration%20-%20how%20many%20days%20of%20logs%20visible%20from%20point%20of%20setup%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206569%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20query%20-%20we%20have%20just%20setup%20a%20trial%20of%20MCAS%20for%20a%20client%20and%20they%20are%20seeing%20infrequent%20country%20alerts%20for%20users%20for%20example.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20alerts%20state%20things%20like%20%22device%20tablet%20used%20by%20this%20user%20for%20the%20first%20time%20in%20180%20days%22%2C%20and%20%22ISP%20xxx%20used%20for%20the%20first%20time%20by%20this%20user%20in%20180%20days%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20we%20have%20just%20setup%20MCAS%20and%20connected%20Office%20365%20and%20Azure%20AD%2C%20I%20am%20keen%20to%20know%20how%20far%20back%20do%20the%20logs%20MCAS%20is%20referring%20to%20go.%20Given%20we%20have%20just%20enabled%20MCAS%20I%20suspect%20the%20reference%20to%20180%20days%20isnt%20reviewing%20180%20days%20of%20historical%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20MCAS%20look%20at%20the%20O365%20Audit%20Logs%20and%20Azure%20AD%20Sign%20In%20Logs%20to%20make%20this%20determination%20(which%20only%20go%20back%2090%20days%20and%2030%20days%20respectively%20for%20E3%20and%20AAD%20P1%20customers).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20so%2C%20are%20logs%20then%20kept%20elsewhere%20to%20provide%20180%20days%20of%20historical%20activity%20logs%20if%20MCAS%20is%20purchased%20as%20listed%20here%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fcas-compliance-trust%23transparency%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fcas-compliance-trust%23transparency%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1206569%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1206679%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Activity%20Log%20-%20Duration%20-%20how%20many%20days%20of%20logs%20visible%20from%20point%20of%20setup%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206679%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414254%22%20target%3D%22_blank%22%3E%40PJR_CDF%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20data%20that%20MCAS%20gets%20from%20different%20apps%20is%20saved%20according%20to%20retention%20policies%20for%20180%20days%20(for%20activities).%20Based%20on%20the%20aggregated%20data%20from%20different%20services%20MCAS%20is%20able%20to%20build%20a%20base-line%20that%20is%20then%20used%20for%20its%20anomaly%20detections.%3C%2FP%3E%0A%3CP%3EIn%20the%20specific%20case%20below%2C%20it%20might%20be%20a%20bug%20and%20a%20terminology%20issue.%3C%2FP%3E%0A%3CP%3EIf%20critical%2C%20a%20support%20case%20can%20be%20opened%20so%20our%20team%20can%20review%20the%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%2C%3C%2FP%3E%0A%3CP%3EBoris%3C%2FP%3E%0A%3CP%3EProduct%20manager%2C%20CAS%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1206691%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Activity%20Log%20-%20Duration%20-%20how%20many%20days%20of%20logs%20visible%20from%20point%20of%20setup%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206691%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255768%22%20target%3D%22_blank%22%3E%40Boris_Kacevich%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20not%20a%20critical%20issue%20but%20the%20customer%20did%20ask%20why%20it%20shows%20%22last%20180%20days%22%20in%20the%20alert%20when%20he%20hasn't%20got%20180%20days%20worth%20of%20activity%20logs%20to%20review%20yet.%20It%20might%20be%20worth%20changing%20that%20value%20in%20the%20alerts%20to%20a%20dynamic%20value%20to%20reflect%20the%20duration%20of%20logs%20available%20if%20possible%20to%20prevent%20future%20confusion%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20regards%20to%20the%20180%20day%20activity%20log%2C%20is%20this%20a%20separate%20MCAS%20specific%20log%20stored%20somewhere%20that's%20not%20accessible%20to%20other%20services%20but%20is%20in%20effect%20populated%20by%20the%20connected%20services%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20mean%20is%20are%20the%20entries%20in%20the%20MCAS%20Activity%20Log%20copies%20of%20logs%20from%20connected%20apps%20(ie%20Office%20365%20and%20Azure%20AD)%20and%20then%20kept%20in%20the%20MCAS%20log%20for%20180%20days%2C%20whereas%20if%20you%20reviewed%20the%20logs%20for%20the%20contributing%20source%20individually%20-%20ie%20Azure%20Sign%20In%20Logs%20for%20example%2C%20you%20will%20still%20only%20find%20the%20last%2030%20days%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1206779%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Activity%20Log%20-%20Duration%20-%20how%20many%20days%20of%20logs%20visible%20from%20point%20of%20setup%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206779%22%20slang%3D%22en-US%22%3EYes%2C%20you%20are%20correct%2C%20MCAS%20stores%20copies%20of%20the%20activities%20it%20receives%20from%20connected%20services%20for%20a%20period%20of%20180%20days.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20the%20issue%2C%20we%20will%20investigate%20further%20and%20decide%20on%20the%20next%20steps.%3CBR%20%2F%3E%3CBR%20%2F%3EBoris%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

 

I have a query - we have just setup a trial of MCAS for a client and they are seeing infrequent country alerts for users for example.

 

These alerts state things like "device tablet used by this user for the first time in 180 days", and "ISP xxx used for the first time by this user in 180 days".

 

As we have just setup MCAS and connected Office 365 and Azure AD, I am keen to know how far back do the logs MCAS is referring to go. Given we have just enabled MCAS I suspect the reference to 180 days isnt reviewing 180 days of historical logs.

 

Does MCAS look at the O365 Audit Logs and Azure AD Sign In Logs to make this determination (which only go back 90 days and 30 days respectively for E3 and AAD P1 customers). 

 

If so, are logs then kept elsewhere to provide 180 days of historical activity logs if MCAS is purchased as listed here

 

https://docs.microsoft.com/en-us/cloud-app-security/cas-compliance-trust#transparency

 

Thanks

 

Paul

 

 

 

3 Replies
Highlighted

@PJR_CDF 

 

The data that MCAS gets from different apps is saved according to retention policies for 180 days (for activities). Based on the aggregated data from different services MCAS is able to build a base-line that is then used for its anomaly detections.

In the specific case below, it might be a bug and a terminology issue.

If critical, a support case can be opened so our team can review the details.

 

Best,

Boris

Product manager, CAS 

 

Highlighted

Thanks @Boris_Kacevich 

 

It's not a critical issue but the customer did ask why it shows "last 180 days" in the alert when he hasn't got 180 days worth of activity logs to review yet. It might be worth changing that value in the alerts to a dynamic value to reflect the duration of logs available if possible to prevent future confusion?

 

With regards to the 180 day activity log, is this a separate MCAS specific log stored somewhere that's not accessible to other services but is in effect populated by the connected services? 

 

What I mean is are the entries in the MCAS Activity Log copies of logs from connected apps (ie Office 365 and Azure AD) and then kept in the MCAS log for 180 days, whereas if you reviewed the logs for the contributing source individually - ie Azure Sign In Logs for example, you will still only find the last 30 days? 

 

Thanks

 

Paul

Highlighted
Best Response confirmed by PJR_CDF (Contributor)
Solution
Yes, you are correct, MCAS stores copies of the activities it receives from connected services for a period of 180 days.

Regarding the issue, we will investigate further and decide on the next steps.

Boris