Finding MCAS Policy Changes

Copper Contributor

Background: I've got these connectors to Sentinel working...


Microsoft 365 Defender (Preview)

Office 365


and I wan to alert on changes made to MCAS policies, which I would think would appear in the former.  But I'm not seeing them.  For example, I had an alert on the Remote Code Execution Attempt policy.  It was legitimate activity, so I edited the policy to make an exception.  I want to see an audit trail of that exception but I'm not finding it in Sentinel.  Any ideas?



1 Reply
By default this is not in the current connectors.
You should see this in the Unified Audit log of Office 365. There isn't a default connector for this, but there are plently of solutions available
Check out this URL: