Is there a way to automatically add IP addresses from a specific country to a blacklist?

%3CLINGO-SUB%20id%3D%22lingo-sub-1594730%22%20slang%3D%22en-US%22%3EIs%20there%20a%20way%20to%20automatically%20add%20IP%20addresses%20from%20a%20specific%20country%20to%20a%20blacklist%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1594730%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20currently%20experimenting%20with%20CAS%20to%20see%20how%20much%20automation%20can%20be%20done%20with%20the%20tool.%20Is%20there%20a%20way%20to%20automatically%20add%20IP%20addresses%20that%20are%20failing%20to%20authenticate%20to%20the%20blacklist%3F%20(Perhaps%20utilizing%20CAS%20with%20Power%20Automate)%20I%20am%20trying%20to%20avoid%20using%20third%20party%20tools%20and%20I%20don't%20want%20to%20have%20to%20manually%20review%20each%20alert%20that%20is%20coming%20from%20a%20few%20countries%20that%20have%20constantly%20tried%20to%20log%20into%20user%20accounts.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1594730%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi All,

I'm currently experimenting with CAS to see how much automation can be done with the tool. Is there a way to automatically add IP addresses that are failing to authenticate to the blacklist? (Perhaps utilizing CAS with Power Automate) I am trying to avoid using third party tools and I don't want to have to manually review each alert that is coming from a few countries that have constantly tried to log into user accounts. 

 

Thanks in advance!

2 Replies

Did you find a way to do this at all? Would be extremely helpful for us as well. @bryant125 

Hi @Aaron Horna,

my approach for Cloud Apps is to use SSO from AAD whenever possible. Among many other benefits, in Conditional Access you can configure rules that use named locations - which can also be countries.

 

However, an even better approach would be to use Device State (Managed, Compliant) and Session Risks from AAD Identity Protection instead of IP addresses. It's not that hard for an attacker to obtain an IP address from your country.

 

Greetings Chris