SOLVED

What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and MCAS

%3CLINGO-SUB%20id%3D%22lingo-sub-3183848%22%20slang%3D%22en-US%22%3EWhat%20is%20the%20difference%20between%20alerts%20reported%20by%20Azure%20AD%20Identity%20Protection%20in%20Sentinel%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3183848%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20difference%20between%20alerts%20reported%20by%20Azure%20AD%20Identity%20Protection%20in%20Sentinel%20and%20alerts%20reported%20by%20Azure%20AD%20Identity%20Protection%20in%20MCAS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOffers%20additional%20connection%20value%20in%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3201137%22%20slang%3D%22en-US%22%3ERe%3A%20What%20is%20the%20difference%20between%20alerts%20reported%20by%20Azure%20AD%20Identity%20Protection%20in%20Sentinel%20and%20M%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3201137%22%20slang%3D%22en-US%22%3EHi%20Chris%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20there%20really%20is%20no%20difference%20here.%20Its%20the%20same%20logic%20across%20both.%20I%20ended%20up%20disabling%20the%20sign%20in%20alerts%20in%20MCAS%20(or%20Defender%20for%20Cloud%20Apps%20now)%20due%20to%20duplicate%20alerts%20being%20pinged%20in%20Sentinel%20both%20from%20MCAS%20and%20AADIP.%20If%20you%20dont%20have%20Sentinel%20then%20of%20course%20keep%20those%20alerts%20turned%20on%20in%20MCAS.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and alerts reported by Azure AD Identity Protection in MCAS?

 

Offers additional connection value in Sentinel?

 

Regards.

1 Reply
best response confirmed by Chris_321 (Occasional Contributor)
Solution

Hi Chris,

I believe there really is no difference here. Its the same logic across both. I ended up disabling the sign in alerts in MCAS (or Defender for Cloud Apps now) due to duplicate alerts being pinged in Sentinel both from MCAS and AADIP. If you don't have Sentinel then of course keep those alerts turned on in MCAS.

 

The added value Sentinel brings is that you can do multiple stuff to these alerts, from running playbooks, Entity behaviour, linking in Threat Intel and much more.