currently I'm struggling with the first tests in MCAS. I'm executing the tests in my DEV tenant or in a customer tenant. In both I have no possibility to use Defender for Endpoint. So I'm relying on the firewall logs.
So I already tested with the continuous logfile upload via logfile collector. But the results are never sufficient. I already found the troubleshooting guide for log parsing errors , but it is not helpful for an "internal error".
Well, the fact is that many firewalls (whether by design or by implementation) do not support identifying the identity of the user. Guess what?!? Neither does MDE integration. MDE is device-centric, as is the approach of using source IP when no user id is available.
Regarding the perspective on visualizing senseful data, the problem is the fidelity of the original data. It is just flow data about http/s connections. That's it. There is no info about what is actually happening or even whether that was a place the user navigated to in a browser or was hit via a drive-by ad or something embedded in a page, like Facebook and Twitter login.