cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filtering Alerts for Activity type ElevateAccess Microsoft.Authorization

thezero
Copper Contributor

‎Nov 08 2021 08:18 AM

‎Nov 08 2021 08:18 AM

Filtering Alerts for Activity type ElevateAccess Microsoft.Authorization

Hello guys

 

I was playing around with Microsoft Defender for Cloud Apps and Power Automate and created a policy in MDCA for detecting the usage of the elevate access option in Azure Active Directory.

The problem I'm having is that when the policy for that activity is triggered it creates two alerts one with the description: "ElevateAccess Microsoft.Authorizationresource /providers/Microsoft.Authorization - Started" and one with "ElevateAccess Microsoft.Authorization: resource /providers/Microsoft.Authorization - Succeded".

That in itself wouldn't be a problem but if the policy is connected with a Power Automate Flow said Flow triggers two times for basically the same event.

Now my question is if any of you have an idea on how to solve this problem? I tried filtering for the activity objects the alert provides but that didn't work.

 

best regards 

 

thezero 

Labels:
789 Views
0 Likes
2 Replies
Reply
2 Replies
JaredPoeppelman

‎Dec 03 2021 09:30 AM

‎Dec 03 2021 09:30 AM

Re: Filtering Alerts for Activity type ElevateAccess Microsoft.Authorization

The only solution I can think of is to extract the additional activity data from the alert's 'entities' field and then use some Power Automate logic to only act when it is the second event which is the success indicator.
0 Likes
Reply
thezero

‎Dec 16 2021 01:18 AM

‎Dec 16 2021 01:18 AM

Re: Filtering Alerts for Activity type ElevateAccess Microsoft.Authorization

Sadly, the cloud app security trigger in power automate doesn't provide the data from the alert's entities field. And I don't know how else I would retrieve that data.
0 Likes
Reply