Mar 03 2020 05:28 AM
Mar 03 2020 05:28 AM
I have a query - we have just setup a trial of MCAS for a client and they are seeing infrequent country alerts for users for example.
These alerts state things like "device tablet used by this user for the first time in 180 days", and "ISP xxx used for the first time by this user in 180 days".
As we have just setup MCAS and connected Office 365 and Azure AD, I am keen to know how far back do the logs MCAS is referring to go. Given we have just enabled MCAS I suspect the reference to 180 days isnt reviewing 180 days of historical logs.
Does MCAS look at the O365 Audit Logs and Azure AD Sign In Logs to make this determination (which only go back 90 days and 30 days respectively for E3 and AAD P1 customers).
If so, are logs then kept elsewhere to provide 180 days of historical activity logs if MCAS is purchased as listed here
Mar 03 2020 06:31 AM
The data that MCAS gets from different apps is saved according to retention policies for 180 days (for activities). Based on the aggregated data from different services MCAS is able to build a base-line that is then used for its anomaly detections.
In the specific case below, it might be a bug and a terminology issue.
If critical, a support case can be opened so our team can review the details.
Product manager, CAS
Mar 03 2020 06:39 AM
It's not a critical issue but the customer did ask why it shows "last 180 days" in the alert when he hasn't got 180 days worth of activity logs to review yet. It might be worth changing that value in the alerts to a dynamic value to reflect the duration of logs available if possible to prevent future confusion?
With regards to the 180 day activity log, is this a separate MCAS specific log stored somewhere that's not accessible to other services but is in effect populated by the connected services?
What I mean is are the entries in the MCAS Activity Log copies of logs from connected apps (ie Office 365 and Azure AD) and then kept in the MCAS log for 180 days, whereas if you reviewed the logs for the contributing source individually - ie Azure Sign In Logs for example, you will still only find the last 30 days?
Mar 03 2020 07:21 AMSolution