SOLVED

MCAS Policy Creation

%3CLINGO-SUB%20id%3D%22lingo-sub-1524775%22%20slang%3D%22en-US%22%3EMCAS%20Policy%20Creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1524775%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20noticed%20an%20increasing%20number%20of%20accounts%20being%20compromised%2C%20without%20generating%20any%20alerts%20I%20have%20configured%20in%20the%20Microsoft%20Cloud%20App%20Security%20portal%20(Ie.%20Impossible%20travel%20activity)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anyway%20to%20create%20an%20alert%20policy%20for%20%22Run%20Command%3A%20task%20MailItemsAccessed%22%20when%20it%20happens%20outside%20of%20the%20US%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F205587i27643AEE8EBB6B43%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.JPG%22%20alt%3D%22Capture.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFor%20example%20the%20activity%20above%20would%20generate%20an%20alert%20because%20the%20task%20MailItemAccessed%20occurred%20in%20Japan.%20What%20would%20that%20policy%20look%20like%20in%20the%20MCAS%20portal%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1524775%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPolicy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1525608%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Policy%20Creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1525608%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F301580%22%20target%3D%22_blank%22%3E%40EASchmitt%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20you%20could%20first%20try%20changing%20the%20sensitivity%20of%20the%20Impossible%20Travel%20policy%20as%20shown%20below%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-07-16%20at%2007.08.08.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F205742i12C5224A11ED6B67%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-07-16%20at%2007.08.08.png%22%20alt%3D%22Screenshot%202020-07-16%20at%2007.08.08.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20then%20ensure%20you%20have%20your%20alerts%20configured%20as%20required.%26nbsp%3B%20Have%20you%20tried%20this%20already%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1527643%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Policy%20Creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1527643%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3EI%20did%20try%20this%20and%20I%20haven't%20seen%20any%20additional%20alerts%20being%20generated%20since.%20My%20main%20concern%20is%20the%20Impossible%20Travel%20policy%20is%20looking%20only%20at%20actual%20sign-in's.%20I%20believe%20what%20I'm%20looking%20to%20configure%20an%20alert%20for%20is%20a%20Task%20that%20is%20being%20performed%20in%20multiple%20locations%20that%20are%20considered%20impossible%20travel%2C%20but%20I%20have%20no%20idea%20if%20that%20is%20even%20possible%20to%20configure%20an%20alert%20for.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1529544%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Policy%20Creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1529544%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F301580%22%20target%3D%22_blank%22%3E%40EASchmitt%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EDoes%20this%20work%20for%20you%3F%3C%2FP%3E%3CP%3EGo%20to%20-%26nbsp%3B%3C%2FP%3E%3CP%3ESunglasses%20(Investigate)%20-%26gt%3B%20Activity%20log%20-%26gt%3B%20Advanced%20(right%20corner)%3C%2FP%3E%3COL%3E%3CLI%3E%22App%22%20%22equals%22%20%22Microsoft%20Exchange%20Online%22%3C%2FLI%3E%3CLI%3E%22Activity%20objects%22%20%22Item%22%20%22equals%22%20%22MailItemsAccessed%22%3C%2FLI%3E%3CLI%3E%22Location%22%20%22does%20not%20equal%22%20%22United%20States%22%3C%2FLI%3E%3C%2FOL%3E%3CP%3EIf%20this%20works%2C%20select%20-%26gt%3B%20new%20policy%20from%20search%20and%20create%20your%20policy.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20things%20that%20help%3A%3C%2FP%3E%3COL%3E%3CLI%3E%3CSTRONG%3EIn%20Azure%20Identity%20Protection%3C%2FSTRONG%3E%3COL%3E%3CLI%3EMake%20sure%20you%20have%20a%20good%20policy%20for%20%22User%20Risk%20Policy%22%20and%20%22Sign-in%20risk%20policy%22%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FIdentityProtectionMenuBlade%2FUserPolicy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FIdentityProtectionMenuBlade%2FUserPolicy%3C%2FA%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EMFA%20w%2Fconditional%20access%20policies%3C%2FSTRONG%3E%3CBR%20%2F%3E%3COL%3E%3CLI%3EInclude%3A%3COL%3E%3CLI%3EFor%20all%20users%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EExclude%3A%3COL%3E%3CLI%3EBackup%20Failsafe%20account%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3ECloudApps%3A%3COL%3E%3CLI%3EOffice%20365%20Preview%3C%2FLI%3E%3CLI%3EAzure%20Management%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EConditions%3A%3COL%3E%3CLI%3ESign-in%20risk-%20High%2C%20Medium%3C%2FLI%3E%3CLI%3E(Assuming%20no-one%20is%20using%20legacy%20auth%20methods)%20Client%20apps-%20Select%20All.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EGrant%20Access%3COL%3E%3CLI%3ERequire%20MFA.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EPrevent%20legacy%20auth%20with%20or%20without%20conditional%20access.%3C%2FSTRONG%3E%3COL%3E%3CLI%3E(via%20%3CSPAN%3EExchange%20Online%20Powershell)%20For%20Users%20not%20using%20legacy%20methods%20(exclude%20service%20accounts%20using%20internal%20email%20services)%3C%2FSPAN%3E%3COL%3E%3CLI%3E%3CSPAN%3EConnect-EXOPSSESSION%20-UserPrincipalName%20%5Binsert%20your%20email%20or%20admin%20email%5D%3C%2FSPAN%3E%3COL%3E%3CLI%3ESign-In.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3ENew-AuthenticationPolicy%20%22MFA%20Required%22%20-AllowBasicAuthPop%3A%24false%20%5C%26nbsp%3B%20%26nbsp%3B-AllowBasicAuthSmtp%3A%24false%20%5C%26nbsp%3B%20%26nbsp%3B-AllowBasicAuthImap%3A%24false%20%5C%26nbsp%3B%20%26nbsp%3B-AllowBasicAuthWebServices%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthOutlookService%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthPowershell%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthReportingWebServices%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthRpc%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthMapi%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthAutodiscover%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthActiveSync%3A%24false%3C%2FLI%3E%3CLI%3ESet-User%20-User%20%22Users%20actual%20name%20like%20'John%20Smith'%22%20-AuthenticatonPolicy%20%22MFA%20Required%22%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EFor%20Service%20Accounts%20(Set%20as%20needed%2C%20example%20SMTP%2FIMAP)%3COL%3E%3CLI%3ENew-AuthenticationPolicy%20%22Legacy%20Service%20Accounts%22%20-AllowBasicAuthPop%3A%24false%20%5C%26nbsp%3B%20%26nbsp%3B-AllowBasicAuthSmtp%20%5C%26nbsp%3B%20%26nbsp%3B-AllowBasicAuthImap%20%5C%26nbsp%3B%20%26nbsp%3B-AllowBasicAuthWebServices%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthOutlookService%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthPowershell%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthReportingWebServices%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthRpc%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthMapi%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthAutodiscover%3A%24false%20%5C%26nbsp%3B%20-AllowBasicAuthActiveSync%3A%24false%3C%2FLI%3E%3CLI%3ESet-User%20-User%20%22HP-MFP-0120%22%26nbsp%3B-AuthenticatonPolicy%26nbsp%3B%22Legacy%20Service%20Accounts%22%3C%2FLI%3E%3CLI%3EI'd%20recommend%20considering%20moving%20any%20accounts%20like%20a%20copier%20or%20scanner%20out%20of%20the%20office%20365%20environment%20and%20into%20a%20Amazon-SES%20if%20possible.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EHope%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1601428%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Policy%20Creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27768%22%20target%3D%22_blank%22%3E%40Jonathan%20Green%3C%2FA%3EThank%20you!%20I%20was%20just%20able%20to%20circle%20back%20around%20to%20this%20and%20the%20first%20part%20did%20exactly%20what%20I%20was%20looking%20for.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602483%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Policy%20Creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602483%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F301580%22%20target%3D%22_blank%22%3E%40EASchmitt%3C%2FA%3E%3C%2FP%3E%3CP%3E%E2%80%8C%E2%80%8CGlad%20I%20could%20help!%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I have noticed an increasing number of accounts being compromised, without generating any alerts I have configured in the Microsoft Cloud App Security portal (Ie. Impossible travel activity)

 

Is there anyway to create an alert policy for "Run Command: task MailItemsAccessed" when it happens outside of the US?

Capture.JPG

For example the activity above would generate an alert because the task MailItemAccessed occurred in Japan. What would that policy look like in the MCAS portal?

5 Replies

@EASchmitt 

 

Hi, you could first try changing the sensitivity of the Impossible Travel policy as shown below;

 

Screenshot 2020-07-16 at 07.08.08.png

 

And then ensure you have your alerts configured as required.  Have you tried this already?

@PeterRisingI did try this and I haven't seen any additional alerts being generated since. My main concern is the Impossible Travel policy is looking only at actual sign-in's. I believe what I'm looking to configure an alert for is a Task that is being performed in multiple locations that are considered impossible travel, but I have no idea if that is even possible to configure an alert for.

best response confirmed by EASchmitt (Occasional Contributor)
Solution

@EASchmitt 
Does this work for you?

Go to - 

Sunglasses (Investigate) -> Activity log -> Advanced (right corner)

  1. "App" "equals" "Microsoft Exchange Online"
  2. "Activity objects" "Item" "equals" "MailItemsAccessed"
  3. "Location" "does not equal" "United States"

If this works, select -> new policy from search and create your policy. 

 

Other things that help:

  1. In Azure Identity Protection
    1. Make sure you have a good policy for "User Risk Policy" and "Sign-in risk policy"
    2. https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/UserPolicy
  2. MFA w/conditional access policies
    1. Include:
      1. For all users
    2. Exclude:
      1. Backup Failsafe account
    3. CloudApps:
      1. Office 365 Preview
      2. Azure Management
    4. Conditions:
      1. Sign-in risk- High, Medium
      2. (Assuming no-one is using legacy auth methods) Client apps- Select All.
    5. Grant Access
      1. Require MFA.
  3. Prevent legacy auth with or without conditional access.
    1. (via Exchange Online Powershell) For Users not using legacy methods (exclude service accounts using internal email services)
      1. Connect-EXOPSSESSION -UserPrincipalName [insert your email or admin email]
        1. Sign-In.
      2. New-AuthenticationPolicy "MFA Required" -AllowBasicAuthPop:$false \   -AllowBasicAuthSmtp:$false \   -AllowBasicAuthImap:$false \   -AllowBasicAuthWebServices:$false \  -AllowBasicAuthOutlookService:$false \  -AllowBasicAuthPowershell:$false \  -AllowBasicAuthReportingWebServices:$false \  -AllowBasicAuthRpc:$false \  -AllowBasicAuthMapi:$false \  -AllowBasicAuthAutodiscover:$false \  -AllowBasicAuthActiveSync:$false
      3. Set-User -User "Users actual name like 'John Smith'" -AuthenticatonPolicy "MFA Required"
    2. For Service Accounts (Set as needed, example SMTP/IMAP)
      1. New-AuthenticationPolicy "Legacy Service Accounts" -AllowBasicAuthPop:$false \   -AllowBasicAuthSmtp \   -AllowBasicAuthImap \   -AllowBasicAuthWebServices:$false \  -AllowBasicAuthOutlookService:$false \  -AllowBasicAuthPowershell:$false \  -AllowBasicAuthReportingWebServices:$false \  -AllowBasicAuthRpc:$false \  -AllowBasicAuthMapi:$false \  -AllowBasicAuthAutodiscover:$false \  -AllowBasicAuthActiveSync:$false
      2. Set-User -User "HP-MFP-0120" -AuthenticatonPolicy "Legacy Service Accounts"
      3. I'd recommend considering moving any accounts like a copier or scanner out of the office 365 environment and into a Amazon-SES if possible.

Hope this helps.

@Jonathan GreenThank you! I was just able to circle back around to this and the first part did exactly what I was looking for.

@EASchmitt

‌‌Glad I could help! :smile: