cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and MCAS

Chris_321
Copper Contributor

‎Feb 18 2022 04:32 AM

‎Feb 18 2022 04:32 AM

What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and MCAS

Hello,

 

What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and alerts reported by Azure AD Identity Protection in MCAS?

 

Offers additional connection value in Sentinel?

 

Regards.

745 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Chris_321 (Copper Contributor)
MattBurrows

‎Feb 22 2022 01:36 PM - edited ‎Feb 22 2022 01:40 PM

‎Feb 22 2022 01:36 PM - edited ‎Feb 22 2022 01:40 PM

Solution

Re: What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and M

Hi Chris,

I believe there really is no difference here. Its the same logic across both. I ended up disabling the sign in alerts in MCAS (or Defender for Cloud Apps now) due to duplicate alerts being pinged in Sentinel both from MCAS and AADIP. If you don't have Sentinel then of course keep those alerts turned on in MCAS.

 

The added value Sentinel brings is that you can do multiple stuff to these alerts, from running playbooks, Entity behaviour, linking in Threat Intel and much more.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Chris_321 (Copper Contributor)
MattBurrows

‎Feb 22 2022 01:36 PM - edited ‎Feb 22 2022 01:40 PM

‎Feb 22 2022 01:36 PM - edited ‎Feb 22 2022 01:40 PM

Solution

Re: What is the difference between alerts reported by Azure AD Identity Protection in Sentinel and M

Hi Chris,

I believe there really is no difference here. Its the same logic across both. I ended up disabling the sign in alerts in MCAS (or Defender for Cloud Apps now) due to duplicate alerts being pinged in Sentinel both from MCAS and AADIP. If you don't have Sentinel then of course keep those alerts turned on in MCAS.

 

The added value Sentinel brings is that you can do multiple stuff to these alerts, from running playbooks, Entity behaviour, linking in Threat Intel and much more.

View solution in original post

0 Likes
Reply