Investigating identity threats in hybrid on prem and cloud environments

Microsoft

We are very happy to announce the new identity threat investigation experiance.
Which is the integraiton of Azure ATP, Azure AD identity protection and MCAS - you can now get the security value of these three identity focused security products in the same portal.

https://www.microsoft.com/security/blog/2019/06/20/investigating-identity-threats-hybrid-cloud-envir...

We would love to get your insights!

14 Replies
Hi Yossi, Any plans to folder in alerts\events from 365 security, eg ZAP'd emailed that was found in a users inbox? Regards John L

Hi @Yossi Basha 

Very interesting to see this working - it took me a while to find the Top 5 Identities to investigate by Priority - I would suggest this should have a more prominent place on the dashboard?

 

Question: Like Sentinel, would it be possible to "edit" the Dashboard &/or get details of the KQL that generates this, it would be great to understand how these are created 

 

For those that have implemented MCAS and have yet to *enable* the Azure ATP integration - best to make sure you have all of your <Internal> IP Address's listed in MCAS > IP Address. It could be that we (I) did something stupid, but within the 12 hours or so of enabling this we were seeing loads of Alerts for "Login from outside Australia" even though the originating Client IP Address was internal 10.x.x.x

 

So it does seem that the MCAS Tool does not automatically assume that 10.x.x.x is internal, then as we were updating the <Internal> IP's it did occur to us that it's probably not a good idea to list the ADFS Server as Internal? Wouldn't we want incoming requests from this to be checked more closely?

@David Caddick thanks for sharing your insights.

Yes, the top users to investigate will soon become more prominent and will also be represented in more aspects of the product.

You are not able to edit the dashboard in MCAS but i'd love for you to share your asks in a direct message.

Thanks for the private IP address note, i'll work internally on that.

@jlouden Yes, we are working to get alerts and activities from more M365 sources into the investigation priority engine.

Hey @David Caddick 

 

We didn't need to include internal IP ranges in MCAS. We only did the external IP's where MCAS would see traffic coming from, then we had fun adding all of our clients external IP's. ONce we had those two in-place MCAS correctly ID'd locations regardless of internal IP.

 

Cheers

JL

Hi @jlouden,

 

Do you have inegration with Azure ATP turned on?

That seems to be the catalyst that started the "barrage" of misunderstanding about 10.x.x.x being an external address as far as the logic goes cause that's what the alerts are now saying...? 

Hey @David Caddick 

 

Yes, mind you we had all sorts of issue's getting that integration running, actually between wdatp, aata, and MCAS they just didn't play nice. In the end the PG team "reset" the 3, since then it has been running without issue. Just suffering portal fatigue while waiting for the Unified Console\portal to come along.

@jlouden Aha - ATA, not Azure ATP? That makes sense, I'm suspecting that there is something going on here that is causing the 10.x.x.x to be flagged as external somehow. Have you also got Sentinel up and compared that to the MD ATP Advanced Threat hunting - I can't understand how two similar tools have such different UI's...

@David Caddick Sorry minor typo...it is Azure ATP...to many TLA's!!

 

Haven't got sentinel up yet...that is next week. I'll let you know what I find.

 

I also had a look our internal's are 172.16.x.x and they are being labelled correctly, as are the IPv6's (which was a surprise). 


 

 

Very well put together.

Reading thru the documentation here.

https://docs.microsoft.com/en-us/cloud-app-security/tutorial-ueba

 

I was curious if there is anymore information that describes how the priority score is created?

 

"Use the Investigation priority score to determine which users to investigate first. Cloud App Security builds user profiles for each user based on analytics that take time, peer groups, and expected user activity into consideration. Activity that is anomalous to a user's baseline is evaluated and scored. "

@Yossi Basha 

@Yossi Basha  For all the new  threat detection policies in MCAS  why can't they be viewed  or edited ?  

@Yossi Basha  _ Hey never mind  I just discovered that you can edit  / view the policy by selecting  adjust policy on  the alert