I already had good experience with Idan Basre, Boris Kacevich and Marina Kidron but I dont know who is responsible for MCAS Cloud Discovery.
I am currently evaluating a PoC with a customer(20k+ devices) for Cloud Discovery with MDATP onboarded devices.
In the picture, you see the current Policies in place. With filtering as in the description plus triggering once per day, per match.
We have a scoped user group with User Enrichment enabled for the PoC User Group implemented.
So the first Policy is triggering correctly, the filter is just risk between 0-3.
But the 2nd, 3rd and 4th doesn`t.
We choose eSub as a shady app to get discovery alerts for specific applications and just added them to the filter as (eSub equals apps and domains, filter preview shows correct match), but we dont see any alerts coming up although there is traffic being simulated and we see the access in the MDATP Timeline.
Can someone explain how the matching is working?
I am open to discuss this in a call, or to join the troubleshoot call at 15:00 German Time together with the customer.