Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Can't see Azure ATP or MCAS in Sentinel?

Iron Contributor

Hi All,


Can anyone help with letting us know why we can't see Azure ATP or MCAS details in the Sentinel logs?

 

We have connected via the Data Connector page - but Azure ATP is still showing "connected" but no data at all, same with MCAS, shows as connected but nothing coming thru to Sentinel even though both tools have a data + alerts coming thru on their own consoles - but nothing coming thru on Sentinel...?

8 Replies

Hello @David Caddick 

 

So you see 'connected' but not a timestamp as per this screenshot?  How long have you waited as there maybe some latency after you first connect the solution?

Annotation 2019-06-12 082726.pngYou will also have to wait for a new SecurityAlert to come through the connector (it doesn't I believe look back at old data).  The default query, looks at the last 24hrs (you can change that); when a new Alert fires you should see it.

 

SecurityAlert​
| where ProviderName == "MCAS"
| summarize by TimeGenerated

 

 

@CliveWatson Here is what I get in Azure ATP:

Looks like I might have to disconnect/reconnect?


AzureATP_screenshot_Sentinel.JPG

@David Caddick 

 

Maybe, however you have the same screen as myself - I've just not had any Alert trigger in ATP to show up, have you in the past 24hrs / since you enabled the connector? 

Have you waited at least 24hrs (you shouldn't have to after first connecting, this just in case there are any service blips, as this is a preview?).

 

The logs will show which Alerts if any have arrived.

 

SecurityAlert 
| where ProviderName == 'Azure Advanced Threat Protection'
| summarize count() by TimeGenerated

@CliveWatson I have just recieved a reply from Ofer @ MS that the ATP & MCAS was via a Private Preview - this is now closed, but clearly the MCAS element works for you & I have now checked again and this is working for me based on your KQL Query syntax - so that's OK for MCAS now.

He mentioned that GA is towards the end of the month...?

No AATP Alerts till then - but MCAS is working as expected

;)

 

Now I just need to find some Hunting examples that combine Sentinel + MCAS + Azure ATP - or make my own?

@David Caddick 

 

I have two other useful queries, the 2nd I have pinned to an Azure dashboard

// who is providing alerts
SecurityAlert
| summarize count() by ProviderName

// which alerts and names, sorted by severity
SecurityAlert
| summarize count() by ProviderName, AlertName, AlertSeverity 
| sort by AlertSeverity desc 

 

example of 2nd query:

Go to Log Analytics and Run Query

ProviderName AlertName AlertSeverity count_
MCAS Impossible travel activity Medium 2
ASI Scheduled Alerts AWS - Login to AWS Management Console without MFA Medium 1
ASI Scheduled Alerts Signins from IP's that attempted to sign in to disabled accounts Medium 1
ASI Scheduled Alerts User Account Created and Deleted within 24 hours Medium 1
Detection Failed SSH brute force attack Medium 2
ASI Scheduled Alerts Base64 encoded Windows executables in process commandlines Medium 1
ASI Scheduled Alerts Kerberos service ticket was requested Medium 1
AdaptiveNetworkHardenings Traffic from unrecommended IP addresses was detected Low 1
Detection An event log was cleared Informational 2
ASI Scheduled Alerts DNS tor proxies Informational 1
ASI Scheduled Alerts Malware in the recycle bin High 1
ASI Scheduled Alerts AWS - Monitor Credential abuse or hijack High 1

 

@David Caddick 

 

Thanks for the update (I missed that the preview was closed), I share the same demo system as @Ofer ;)

@CliveWatson I'd give you at least 5 likes for that if the system let me.

Thanks for sharing

Simple, just get a job with us at Microsoft ;)