MCAS integration with Sentinel - All old alerts generated incidents in sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2745404%22%20slang%3D%22en-US%22%3EMCAS%20integration%20with%20Sentinel%20-%20All%20old%20alerts%20generated%20incidents%20in%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2745404%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20observed%20some%20unusual%20behaviour%20from%20MCAS%20and%20Sentinel%20integration.%20Based%20on%20attached%20screenshot%2C%20you%20can%20see%20that%20there%20are%20bulk%20of%20incident%20generated%20in%20Azure%20sentinel%20that%20are%20forwarded%20from%20MCAS.%20Most%20of%20these%20alerts%20are%20old%20dated%20(5%20Months%20old).%20Most%20of%20these%20alerts%20are%20closed%20in%20MCAS%20already.%20Not%20sure%20why%20it%20dumped%20all%20the%20alerts%20on%20sentinel.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Deepanshu_Marwah_1-1631529237155.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310006i69DA1A8D819F1601%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Deepanshu_Marwah_1-1631529237155.png%22%20alt%3D%22Deepanshu_Marwah_1-1631529237155.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20behaviour%20has%20been%20observed%20couple%20of%20times.%20Anyone%20else%20faced%20similar%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2745404%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi 

 

I have observed some unusual behaviour from MCAS and Sentinel integration. Based on attached screenshot, you can see that there are bulk of incident generated in Azure sentinel that are forwarded from MCAS. Most of these alerts are old dated (5 Months old). Most of these alerts are closed in MCAS already. Not sure why it dumped all the alerts on sentinel. 

 

 

Deepanshu_Marwah_1-1631529237155.png

This behaviour has been observed couple of times. Anyone else faced similar issue?

 

1 Reply
I have similar situation today. What's the reason behind it . It triggered around 3K old alerts and still counting.
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE