Suspicious Session Detected - Azure Security in Question.
Daily, I receive notifications on suspicious sessions that were detected in our organization. What is concerning is that often some of these accounts were recently created. I have MFA enabled and conditional access, so they suspicious activity of itself is not concerning (they are all denied). What is concerning is how are people (hackers/bots/etc.) getting these accounts and attempting access? Especially accounts that are recently created. There have been times that an account had this notification and was just created within days. In the old days, that would be a flag that a port is open that was allowing access to listing user accounts but in Azure, one would think that is not the case. Is there something I need to tighten up to prevent these?
Setting up email alerts or automatic workflows for Connection errors (For both MCAS & DFI)
Hi, I am trying to set up alerts as a minimum if a connected app in Cloud App Security goes from status "Connected" to status "Connection Error". I would like the same for Defender for Identity if the sensors fail. Anybody have any experience on how can this be achieved? Would be great if such an alert could trigger an automatic workflow, that eg. creates a ticket in an ITSM system & assigns the responsible team depending on the app, which connection has failed. Really hope someone can help - I have been looking in MS Docu with no luck. Thanks 🙂Certificate Pinning in MCAS
Hello MCAS Team, is there any approach/configuration from MCAS perspective in regards of Certificate Pinning for trusting only certificates from a specific domain (activity related to devices, apps, identities, etc.) Any documentation available related to this? Thank you.Supported firewall without delivering usernames?
Hi there, currently I'm struggling with the first tests in MCAS. I'm executing the tests in my DEV tenant or in a customer tenant. In both I have no possibility to use Defender for Endpoint. So I'm relying on the firewall logs. So I already tested with the continuous logfile upload via logfile collector. But the results are never sufficient. I already found the https://docs.microsoft.com/en-us/cloud-app-security/troubleshooting-cloud-discovery , but it is not helpful for an "internal error". But I wondered, why are there so many firewalls without having the usernames in the Syslog beeing supported by MCAS? https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery#supported-firewalls-and-proxies- Shouldn't be the username one of the main criteria to visualize senseful data in MCAS? If you are able to successfully upload firewall data without usernames, how do the results look like? Kind regards, woelki
