MCAS ALERT CABINET EVENT MATCH AUDIT

Development 1 Reputation point
2022-06-20T14:59:32.157+00:00

Hi,

LogonIp value is full in some of the data we take with the endpoint with Alert, and it is empty in some. We can't see ip especially in High Severity alerts. What is the reason of this?

Thanks.

Microsoft Graph Explorer API
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Zehui Yao_MSFT 3,431 Reputation points Microsoft Employee
    2022-06-21T02:39:24.79+00:00

    Hello @Development , According to the introduction in the documentation, the LogonIp property describes the IP address that initiates the login request.
    Regardless of the severity level of the warning. So please check if the status of the logged in user is the cause of the logonIp being empty. Hope it can help you.

    213174-image.png
    213068-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.