Dec 13 2023 04:44 AM
Greetings
I feel I need to get some input on a serious omission I came across today on Sentinels part. A user had somehow gone fed up with MFA notifications on the Microsoft Authenticator, we use number matching, and the user opted to deny several notifications. This caused Entra ID protection to flag the user as compromised and lock the users account. So far everything went according to plan
However none of this appeared in our Sentinel tenant which has a data connector to Entra ID protection and is reporting other Entra ID Protection events. Since we do not have SOC monitoring on anything but Sentinel this omission caused the user to be denied access to Office365 for longer than was intended.
So far I've dug up the event from AADUserRiskEvents Log Analytics table which lists the event as expected.
But there is no listing in any Sentinel related tables like SecurityAlerts and there is no trace what so ever in Sentinel for the incident in question.
Am I missing something or is there a bug somewhere?
Regards
Fredrik
Dec 13 2023 06:15 AM
Dec 14 2023 12:00 AM