Jan 12 2022 07:23 AM
MCAS portal has poor alert filtering capabilities.
Any thoughts on adding alert suppressions or something to make it more in line with the security.microsoft.com portal?
Sentinel has a new M365 Defender connector which pulls in all incidents from MCAS and Defender portals. However it's not desirable to have all of those incidents show up in Sentinel so good alert suppression is needed. MCAS portal is missing this.
Jan 12 2022 07:35 AM
Jan 12 2022 07:37 AM
Jan 12 2022 07:42 AM
Jan 12 2022 07:47 AM - edited Jan 12 2022 07:48 AM
I guess some examples would help.
Say you get "admin activity from non-corporate IP" or "multiple failed user logins to an app"
You'd have to edit the policy directly rather than create suppression rules for certain conditions.