Jun 12 2019 12:05 AM
Hi All,
Can anyone help with letting us know why we can't see Azure ATP or MCAS details in the Sentinel logs?
We have connected via the Data Connector page - but Azure ATP is still showing "connected" but no data at all, same with MCAS, shows as connected but nothing coming thru to Sentinel even though both tools have a data + alerts coming thru on their own consoles - but nothing coming thru on Sentinel...?
Jun 12 2019 12:34 AM
Hello @David Caddick
So you see 'connected' but not a timestamp as per this screenshot? How long have you waited as there maybe some latency after you first connect the solution?
You will also have to wait for a new SecurityAlert to come through the connector (it doesn't I believe look back at old data). The default query, looks at the last 24hrs (you can change that); when a new Alert fires you should see it.
SecurityAlert | where ProviderName == "MCAS" | summarize by TimeGenerated
Jun 12 2019 12:53 AM
Jun 12 2019 01:05 AM
Maybe, however you have the same screen as myself - I've just not had any Alert trigger in ATP to show up, have you in the past 24hrs / since you enabled the connector?
Have you waited at least 24hrs (you shouldn't have to after first connecting, this just in case there are any service blips, as this is a preview?).
The logs will show which Alerts if any have arrived.
SecurityAlert | where ProviderName == 'Azure Advanced Threat Protection' | summarize count() by TimeGenerated
Jun 12 2019 01:11 AM
@CliveWatson I have just recieved a reply from Ofer @ MS that the ATP & MCAS was via a Private Preview - this is now closed, but clearly the MCAS element works for you & I have now checked again and this is working for me based on your KQL Query syntax - so that's OK for MCAS now.
He mentioned that GA is towards the end of the month...?
No AATP Alerts till then - but MCAS is working as expected
;)
Now I just need to find some Hunting examples that combine Sentinel + MCAS + Azure ATP - or make my own?
Jun 12 2019 01:11 AM
I have two other useful queries, the 2nd I have pinned to an Azure dashboard
// who is providing alerts SecurityAlert | summarize count() by ProviderName // which alerts and names, sorted by severity SecurityAlert | summarize count() by ProviderName, AlertName, AlertSeverity | sort by AlertSeverity desc
example of 2nd query:
Go to Log Analytics and Run Query
ProviderName | AlertName | AlertSeverity | count_ |
---|---|---|---|
MCAS | Impossible travel activity | Medium | 2 |
ASI Scheduled Alerts | AWS - Login to AWS Management Console without MFA | Medium | 1 |
ASI Scheduled Alerts | Signins from IP's that attempted to sign in to disabled accounts | Medium | 1 |
ASI Scheduled Alerts | User Account Created and Deleted within 24 hours | Medium | 1 |
Detection | Failed SSH brute force attack | Medium | 2 |
ASI Scheduled Alerts | Base64 encoded Windows executables in process commandlines | Medium | 1 |
ASI Scheduled Alerts | Kerberos service ticket was requested | Medium | 1 |
AdaptiveNetworkHardenings | Traffic from unrecommended IP addresses was detected | Low | 1 |
Detection | An event log was cleared | Informational | 2 |
ASI Scheduled Alerts | DNS tor proxies | Informational | 1 |
ASI Scheduled Alerts | Malware in the recycle bin | High | 1 |
ASI Scheduled Alerts | AWS - Monitor Credential abuse or hijack | High | 1 |
Jun 12 2019 01:16 AM
Thanks for the update (I missed that the preview was closed), I share the same demo system as @Ofer ;)
Jun 12 2019 01:19 AM
@CliveWatson I'd give you at least 5 likes for that if the system let me.
Thanks for sharing
Jun 12 2019 01:21 AM