Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

I noted recently how powerful and valuable Microsoft Cloud App Security (MCAS) is, but also how noisy it can make the Azure Sentinel console unless the MCAS policies are tuned correctly.

See: Tuning the Noise Out of MCAS for Azure Sentinel

That post struck a chord with a number of people. So, I thought I’d spend some time periodically to expose other areas of tuning tips for other services. In this post, though, I’ll stick with another MCAS tuning scenario.

One common example I provided in that original post was tuning for how MCAS alerts are grouped. Another big one that customers tend to miss is the number of “System Alerts” or feature or protocol “Deprecation” MCAS alerts. While these contain valuable pieces of information, we shouldn’t force our cyber analysts to take time out of their day to read through the latest MCAS headline about an upcoming feature change. By and large, this information is not valuable to them nor is it valuable to their efforts to close security gaps in the environment.

And, to top it off, most of these types of alerts are labeled as High Severity in the system.

High Severity System Alert

In the Analytics Rule “Create incidents based on Microsoft Cloud App Security alerts” do yourself a favor and add “System alert” and “Deprecation” to the list of text Exclusions.

Exclude “System alert” and “Deprecation”

Have specific Excludes you use? Please share. We need to build a best practices list of tuning options.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]