Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and MCAS

Copper Contributor

Hello,

 

What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and alerts reported by Azure AD Identity Protection in MCAS?

 

Offers additional connection value in Sentinel?

 

Regards.

1 Reply
best response confirmed by Chris_321 (Copper Contributor)
Solution

Hi Chris,

I believe there really is no difference here. Its the same logic across both. I ended up disabling the sign in alerts in MCAS (or Defender for Cloud Apps now) due to duplicate alerts being pinged in Sentinel both from MCAS and AADIP. If you don't have Sentinel then of course keep those alerts turned on in MCAS.

 

The added value Sentinel brings is that you can do multiple stuff to these alerts, from running playbooks, Entity behaviour, linking in Threat Intel and much more.

1 best response

Accepted Solutions
best response confirmed by Chris_321 (Copper Contributor)
Solution

Hi Chris,

I believe there really is no difference here. Its the same logic across both. I ended up disabling the sign in alerts in MCAS (or Defender for Cloud Apps now) due to duplicate alerts being pinged in Sentinel both from MCAS and AADIP. If you don't have Sentinel then of course keep those alerts turned on in MCAS.

 

The added value Sentinel brings is that you can do multiple stuff to these alerts, from running playbooks, Entity behaviour, linking in Threat Intel and much more.

View solution in original post