Forum Discussion
MicrosoftInvestigating identity threats in hybrid on prem and cloud environments
Hey David Caddick
We didn't need to include internal IP ranges in MCAS. We only did the external IP's where MCAS would see traffic coming from, then we had fun adding all of our clients external IP's. ONce we had those two in-place MCAS correctly ID'd locations regardless of internal IP.
Cheers
JL
Hi jlouden,
Do you have inegration with Azure ATP turned on?
That seems to be the catalyst that started the "barrage" of misunderstanding about 10.x.x.x being an external address as far as the logic goes cause that's what the alerts are now saying...?
Hey David Caddick
Yes, mind you we had all sorts of issue's getting that integration running, actually between wdatp, aata, and MCAS they just didn't play nice. In the end the PG team "reset" the 3, since then it has been running without issue. Just suffering portal fatigue while waiting for the Unified Console\portal to come along.
jlouden Aha - ATA, not Azure ATP? That makes sense, I'm suspecting that there is something going on here that is causing the 10.x.x.x to be flagged as external somehow. Have you also got Sentinel up and compared that to the MD ATP Advanced Threat hunting - I can't understand how two similar tools have such different UI's...
David Caddick Sorry minor typo...it is Azure ATP...to many TLA's!!
Haven't got sentinel up yet...that is next week. I'll let you know what I find.
I also had a look our internal's are 172.16.x.x and they are being labelled correctly, as are the IPv6's (which was a surprise).
