SOLVED

UEBA - User contact information

Frequent Contributor

When investigating a user and reviewing details on the UEBA page - for User contact information why can I not see the Users Mobile number - this is the most important detail I'm looking for to be able to "call" the user "out of band" of the Email/Teams/etc that may or may not be compromised to confirm if this is a FP, TP or BTP result.

 

Under user there is an Object ID listed - this is a match to the specific "Object Id" for the user in Azure AD - even though under the AAD User Profile blade there is both the Office Phone and the Mobile phone listed for this user.

Question - why can we not list the Users Mobile, or both - why whould we have this wonderfully easy UI that does all the hard work and then it does not even identify "what" Phone number it is, nor does it pull both thru? This does seem like it wasn't quite finished off perhaps? ;-(

4 Replies
best response confirmed by David Caddick (Frequent Contributor)
Solution

Hi, @David Caddick 

 

This is a good valuable, thanks for sharing. I just passed it around to the team in charge.

 

@Yoann Mallet @Gal Zilberstein the one other aspect that would be Awesome in MCAS is to get Azure MFA & Conditional Access coming thru - this would enable a much better Alert/Incident filter to balance against "impossible Travel" Alerts.

 

Thoughts:

User X successfully logs in from outside <home country>

IF CA fires & Azure MFA satisfied correctly --> mark as informational only

IF CA fires & Azure MFA not satisfied --> mark as High Alert + Email directly to Admins + enact Governance tiggers to block/suspend User pending change of password & Azure MFA, etc... 

 

David, do you ever run into problems with the user name not displaying and only getting the ID?
Hi Dean,

No - but in all fairness the searching function in the MCAS UEBA is terrible.
You are forced to use correct syntax of first.second in line with the email address and from what we have seen there is no way of using wildcard searches either - this is a pretty big ommission in our eyes
www.000webhost.com