cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MCAS Activity policy match events but alerts are not created

alexts63
Copper Contributor

‎Nov 21 2021 08:43 PM

‎Nov 21 2021 08:43 PM

MCAS Activity policy match events but alerts are not created

Hi all,

 

I have created an MCAS Activity policy to detect O365 downloads from external IPs and generate an alert. When applying policies filters I can see events from activity log, but alerts are NOT generated.

Any suggestion where can be wrong?

 

Thanks!

Alex

 

1,053 Views
0 Likes
2 Replies
Reply
2 Replies
AnuragSrivastava

‎Nov 24 2021 05:21 AM

‎Nov 24 2021 05:21 AM

Re: MCAS Activity policy match events but alerts are not created

@alexts63
If possible, would you be able to share the snapshot of the policy which you have created.
0 Likes
Reply
best response confirmed by Trevor_Rusher (Community Manager)
JaredPoeppelman

‎Dec 03 2021 06:39 AM

‎Dec 03 2021 06:39 AM

Solution

Re: MCAS Activity policy match events but alerts are not created

You may already know this, but let's clarify a few things for anyone reading this post.

First, activity policies only work on a go-forward basis. Past activities are not evaluated for policy match. Instead, use the activity log investigation blade, to view similar activities from the past.

Second, once you have your activity policy in place, use the activity log view with the 'matched policy' filter to see any activities that get stamped as matching your policy. That can help determine if it is a policy not getting applied. If no activities match the policy filter, you should also check to see if the download test actions have appeared in the activity log yet, at all. MDCA cannot evaluated any activities that are not in that log.

Finally, there have been occasional delays in activity policy processing with MDCA. If you think your policy should be triggering but just isn't despite you seeing, you may need to open a support request.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Trevor_Rusher (Community Manager)
JaredPoeppelman

‎Dec 03 2021 06:39 AM

‎Dec 03 2021 06:39 AM

Solution

Re: MCAS Activity policy match events but alerts are not created

You may already know this, but let's clarify a few things for anyone reading this post.

First, activity policies only work on a go-forward basis. Past activities are not evaluated for policy match. Instead, use the activity log investigation blade, to view similar activities from the past.

Second, once you have your activity policy in place, use the activity log view with the 'matched policy' filter to see any activities that get stamped as matching your policy. That can help determine if it is a policy not getting applied. If no activities match the policy filter, you should also check to see if the download test actions have appeared in the activity log yet, at all. MDCA cannot evaluated any activities that are not in that log.

Finally, there have been occasional delays in activity policy processing with MDCA. If you think your policy should be triggering but just isn't despite you seeing, you may need to open a support request.

View solution in original post

0 Likes
Reply