cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Finding MCAS Policy Changes

AnalystGuy
Copper Contributor

‎Feb 11 2021 11:05 AM

‎Feb 11 2021 11:05 AM

Finding MCAS Policy Changes

Background: I've got these connectors to Sentinel working...

 

Microsoft 365 Defender (Preview)

Office 365

 

and I wan to alert on changes made to MCAS policies, which I would think would appear in the former.  But I'm not seeing them.  For example, I had an alert on the Remote Code Execution Attempt policy.  It was legitimate activity, so I edited the policy to make an exception.  I want to see an audit trail of that exception but I'm not finding it in Sentinel.  Any ideas?

 

 

1,194 Views
0 Likes
1 Reply
Reply
1 Reply
Thijs Lecomte

‎Feb 14 2021 04:09 AM

‎Feb 14 2021 04:09 AM

Re: Finding MCAS Policy Changes

By default this is not in the current connectors.
You should see this in the Unified Audit log of Office 365. There isn't a default connector for this, but there are plently of solutions available
Check out this URL: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-protect-office-365-with-azure-sentinel/...
0 Likes
Reply