Nov 08 2021 08:18 AM
Hello guys
I was playing around with Microsoft Defender for Cloud Apps and Power Automate and created a policy in MDCA for detecting the usage of the elevate access option in Azure Active Directory.
The problem I'm having is that when the policy for that activity is triggered it creates two alerts one with the description: "ElevateAccess Microsoft.Authorization: resource /providers/Microsoft.Authorization - Started" and one with "ElevateAccess Microsoft.Authorization: resource /providers/Microsoft.Authorization - Succeded".
That in itself wouldn't be a problem but if the policy is connected with a Power Automate Flow said Flow triggers two times for basically the same event.
Now my question is if any of you have an idea on how to solve this problem? I tried filtering for the activity objects the alert provides but that didn't work.
best regards
thezero
Dec 03 2021 09:30 AM
Dec 16 2021 01:18 AM