Jul 01 2019 01:52 AM
We currently have a policy checking for "Successful login from outside Australia".
This was working fine until we added the Azure ATP integration - then started seeing lot's of reports from "Internal IP" address's in the 10.x.x.x range - this has largely been resolved by adding these IP Address ranges in the list of IP Address's and enabling the "Override" for location and setting that to Australia.
However, as this customer now enables Azure MFA for any/all Users needing/wanting access from outside Australia this has now made the Policy/Alert somewhat redundant - Question: Is it possible to take this current Alert and have it figure out if CA and MFA have been applied? *IF* Applied correctly - no Alert, *IF* NOT Applied then raise a High Level incident/Alert.
Is this possible? It looks like it might need to head to Flow to find out?
Or is this somethign that can be driven by Sentinel?
Is there any other easier way of achieving this?
Jul 04 2019 06:33 AM
SolutionHi @David Caddick ,
Thanks for contacting us. Instead of adding the internal IP list, you could exclude "Active Directory" (Azure ATP) from the app list in your activity policy.
To answer your question, this is not possible at the moment but we are looking at providing visibility on the MFA status during a logon. We are still researching but this could indeed be a great scenario!
Thanks
Jul 04 2019 06:50 AM
Thanks @Sebastien Molendijk
Can it not be achieved via Flow possibly?
But it would be great if you could possibly pull in CA rules and MFA success - but then I guess this might also be able to be achived in Azure Sentinel.
I really like the rich context that comes thru on the MCAS, but it seems that MS is missing a few items?
Jul 07 2019 07:56 AM
@Sebastien Molendijk just wondering if you might have anyone attending the RSA Conference in Singapore from the 15th-18th July? Keen to have a deeper conversation if there are any MCAS folks there?
Jul 04 2019 06:33 AM
SolutionHi @David Caddick ,
Thanks for contacting us. Instead of adding the internal IP list, you could exclude "Active Directory" (Azure ATP) from the app list in your activity policy.
To answer your question, this is not possible at the moment but we are looking at providing visibility on the MFA status during a logon. We are still researching but this could indeed be a great scenario!
Thanks