SOLVED

Network mapping reconnaissance (DNS)

%3CLINGO-SUB%20id%3D%22lingo-sub-2391149%22%20slang%3D%22en-US%22%3ENetwork%20mapping%20reconnaissance%20(DNS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2391149%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everybody%2C%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20get%20an%20warning%20in%20MCAS%20%22Network%20mapping%20reconnaissance%20(DNS)%22%20because%20of%20my%20Vulnerability%20Scanner.%20I%20wan't%20to%20get%20notified%20like%20in%20every%20alert%20rule%20in%20MCAS.%20But%20i%20can't%20find%20where%20i%20can%20edit%20the%20default%20behavior%20anomalie%20policy.%20How%20can%20i%20get%20notified%20when%20this%20warning%20accours%3F%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3ESebastian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2391149%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398816%22%20slang%3D%22en-US%22%3ERe%3A%20Network%20mapping%20reconnaissance%20(DNS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398816%22%20slang%3D%22en-US%22%3EThat%20specific%20alert%20is%20actually%20coming%20from%20Microsoft%20Defender%20for%20Identity%20product.%20MCAS%20is%20just%20showing%20you%20the%20alerts%20from%20MDI.%20To%20configure%20MDI%20to%20send%20you%20email%20alerts%20for%20the%20DNS%20recons%2C%20browse%20to%20MDI%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Fportal.atp.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fportal.atp.azure.com%2F%3C%2FA%3E%3CBR%20%2F%3EIn%20the%20Defender%20for%20Identity%20portal%2C%20select%20the%20settings%20option%20on%20the%20toolbar%20and%20select%20Configuration.%20Click%20Notifications.%20Under%20Mail%20notifications%2C%20add%20email%20addresses%20for%20the%20notifications%20you%20want%20to%20receive%20-%20they%20can%20be%20sent%20for%20new%20alerts%3CBR%20%2F%3E%3CBR%20%2F%3ESee%20documentation%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fnotifications%23%3A~%3Atext%3DIn%2520the%2520Defender%2520for%2520Identity%2Cactivities)%2520and%2520new%2520health%2520issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fnotifications%23%3A~%3Atext%3DIn%2520the%2520Defender%2520for%2520Identity%2Cactivities)%2520and%2520new%2520health%2520issues%3C%2FA%3E.%3C%2FLINGO-BODY%3E
New Contributor

Hi everybody, 

i get an warning in MCAS "Network mapping reconnaissance (DNS)" because of my Vulnerability Scanner. I wan't to get notified like in every alert rule in MCAS. But i can't find where i can edit the default behavior anomalie policy. How can i get notified when this warning accours? 

Thanks

Regards

Sebastian

3 Replies
That specific alert is actually coming from Microsoft Defender for Identity product. MCAS is just showing you the alerts from MDI. To configure MDI to send you email alerts for the DNS recons, browse to MDI here: http://portal.atp.azure.com/
In the Defender for Identity portal, select the settings option on the toolbar and select Configuration. Click Notifications. Under Mail notifications, add email addresses for the notifications you want to receive - they can be sent for new alerts

See documentation here: https://docs.microsoft.com/en-us/defender-for-identity/notifications#:~:text=In%20the%20Defender%20f....
Hi Joe, thank you very much for your reply. I almost thought so. I have already found and configured the notification function in Defender for Identity (ATP portal). Is there a way to query and specifically filter the data from Defender for Identity in Azure Sentinel (LogAnalythic)? It would be nice to push the data into a MS Teams SOC Channel.

Thank you very much.

Regards Sebastian
best response confirmed by msmotto21 (New Contributor)
Solution
"Is there a way to query and specifically filter the data from Defender for Identity in Azure Sentinel (LogAnalythic)?"
Yes this is available now, per this article: https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-atp