Jun 20 2019 12:02 PM
Jun 20 2019 12:02 PM
We are very happy to announce the new identity threat investigation experiance.
Which is the integraiton of Azure ATP, Azure AD identity protection and MCAS - you can now get the security value of these three identity focused security products in the same portal.
We would love to get your insights!
Jun 20 2019 10:18 PM
Jun 25 2019 03:15 AM - edited Jun 25 2019 03:19 AM
Hi @Yossi Basha
Very interesting to see this working - it took me a while to find the Top 5 Identities to investigate by Priority - I would suggest this should have a more prominent place on the dashboard?
Question: Like Sentinel, would it be possible to "edit" the Dashboard &/or get details of the KQL that generates this, it would be great to understand how these are created
For those that have implemented MCAS and have yet to *enable* the Azure ATP integration - best to make sure you have all of your <Internal> IP Address's listed in MCAS > IP Address. It could be that we (I) did something stupid, but within the 12 hours or so of enabling this we were seeing loads of Alerts for "Login from outside Australia" even though the originating Client IP Address was internal 10.x.x.x
So it does seem that the MCAS Tool does not automatically assume that 10.x.x.x is internal, then as we were updating the <Internal> IP's it did occur to us that it's probably not a good idea to list the ADFS Server as Internal? Wouldn't we want incoming requests from this to be checked more closely?
Jun 25 2019 04:35 AM
@David Caddick thanks for sharing your insights.
Yes, the top users to investigate will soon become more prominent and will also be represented in more aspects of the product.
You are not able to edit the dashboard in MCAS but i'd love for you to share your asks in a direct message.
Thanks for the private IP address note, i'll work internally on that.
Jun 25 2019 04:36 AM
@jlouden Yes, we are working to get alerts and activities from more M365 sources into the investigation priority engine.
Jun 26 2019 07:59 PM
Hey @David Caddick
We didn't need to include internal IP ranges in MCAS. We only did the external IP's where MCAS would see traffic coming from, then we had fun adding all of our clients external IP's. ONce we had those two in-place MCAS correctly ID'd locations regardless of internal IP.
Jun 26 2019 08:11 PM
Do you have inegration with Azure ATP turned on?
That seems to be the catalyst that started the "barrage" of misunderstanding about 10.x.x.x being an external address as far as the logic goes cause that's what the alerts are now saying...?
Jun 26 2019 08:37 PM
Hey @David Caddick
Yes, mind you we had all sorts of issue's getting that integration running, actually between wdatp, aata, and MCAS they just didn't play nice. In the end the PG team "reset" the 3, since then it has been running without issue. Just suffering portal fatigue while waiting for the Unified Console\portal to come along.
Jun 26 2019 08:58 PM
@jlouden Aha - ATA, not Azure ATP? That makes sense, I'm suspecting that there is something going on here that is causing the 10.x.x.x to be flagged as external somehow. Have you also got Sentinel up and compared that to the MD ATP Advanced Threat hunting - I can't understand how two similar tools have such different UI's...
Jun 26 2019 09:03 PM
@David Caddick Sorry minor typo...it is Azure ATP...to many TLA's!!
Haven't got sentinel up yet...that is next week. I'll let you know what I find.
I also had a look our internal's are 172.16.x.x and they are being labelled correctly, as are the IPv6's (which was a surprise).
Jul 03 2019 09:00 PM
Very well put together.
Reading thru the documentation here.
I was curious if there is anymore information that describes how the priority score is created?
"Use the Investigation priority score to determine which users to investigate first. Cloud App Security builds user profiles for each user based on analytics that take time, peer groups, and expected user activity into consideration. Activity that is anomalous to a user's baseline is evaluated and scored. "
Aug 02 2019 08:39 AM
@Yossi Basha For all the new threat detection policies in MCAS why can't they be viewed or edited ?
Aug 02 2019 10:04 AM
@Yossi Basha _ Hey never mind I just discovered that you can edit / view the policy by selecting adjust policy on the alert