Feb 18 2022 04:32 AM
Hello,
What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and alerts reported by Azure AD Identity Protection in MCAS?
Offers additional connection value in Sentinel?
Regards.
Feb 22 2022 01:36 PM - edited Feb 22 2022 01:40 PM
SolutionHi Chris,
I believe there really is no difference here. Its the same logic across both. I ended up disabling the sign in alerts in MCAS (or Defender for Cloud Apps now) due to duplicate alerts being pinged in Sentinel both from MCAS and AADIP. If you don't have Sentinel then of course keep those alerts turned on in MCAS.
The added value Sentinel brings is that you can do multiple stuff to these alerts, from running playbooks, Entity behaviour, linking in Threat Intel and much more.
Feb 22 2022 01:36 PM - edited Feb 22 2022 01:40 PM
SolutionHi Chris,
I believe there really is no difference here. Its the same logic across both. I ended up disabling the sign in alerts in MCAS (or Defender for Cloud Apps now) due to duplicate alerts being pinged in Sentinel both from MCAS and AADIP. If you don't have Sentinel then of course keep those alerts turned on in MCAS.
The added value Sentinel brings is that you can do multiple stuff to these alerts, from running playbooks, Entity behaviour, linking in Threat Intel and much more.