MCAS (or now Microsoft Defender for Cloud Apps) policy alerts syncing to Microsoft Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-3288997%22%20slang%3D%22en-US%22%3EMCAS%20(or%20now%20Microsoft%20Defender%20for%20Cloud%20Apps)%20policy%20alerts%20syncing%20to%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3288997%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20couple%20of%20session%20policies%20(block%20downloads%2Fblock%20malware%20uploads)%20and%20one%20access%20policy%20(blocking%20access%20from%20unmanaged%20devices)%20set%20up%20in%20MCAS%20(or%20now%20Microsoft%20Defender%20for%20Cloud%20Apps).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20issue%20I%20have%20is%20that%20the%20policies%20ONLY%20forward%20alerts%20to%20Microsoft%20Sentinel%2C%20when%20they%20are%20closed%20in%20MCAS.%20They%20are%20not%20'raising'%20alerts%20for%20any%20other%20possible%20trigger.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20alerts%20syncing%20is%20switched%20on%20in%20MCAS%20(or%20Microsoft%20Defender%20for%20Cloud%20Apps)%20AND%20SecurityAlert%20logs%20appear%20in%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20come%20across%20this%20where%20NOT%20all%20Alerts%20in%20MCAS%20are%20sent%20on%20to%20a%20SIEM%20such%20as%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWHAT%20is%20the%20best%20practice%20to%20ensure%20alerts%20are%20triggered%20in%20an%20MCAS%20policy%3F%20Is%20this%20primarily%20defined%20from%20rule%20definitions%2C%20alert%20thresholds%2C%20filter%20and%20governance%20actions%2C%20policy%20severity%20settings%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a couple of session policies (block downloads/block malware uploads) and one access policy (blocking access from unmanaged devices) set up in MCAS (or now Microsoft Defender for Cloud Apps).

 

An issue I have is that the policies ONLY forward alerts to Microsoft Sentinel, when they are closed in MCAS. They are not 'raising' alerts for any other possible trigger.

 

The alerts syncing is switched on in MCAS (or Microsoft Defender for Cloud Apps) AND SecurityAlert logs appear in Sentinel.

 

Has anyone come across this where NOT all Alerts in MCAS are sent on to a SIEM such as Sentinel?

 

WHAT is the best practice to ensure alerts are triggered in an MCAS policy? Is this primarily defined from rule definitions, alert thresholds, filter and governance actions, policy severity settings?

 

Thanks in advance

0 Replies