Request user validation to reduce your SOC workload in Cloud App Security
Welcome to Automation in Cloud App Security by @Caroline_Lee & @Sebastien Molendijk
This is the first post in the “Automation in Cloud App Security,” series where we’ll cover different features of Cloud App Security by showcasing common use cases, advanced solutions and share what we’ve learned while working with customers who are actively using the product. Each post will be paired with a video where we will walkthrough the flow and how to use it in MCAS. This post will cover how to auto-remediate alerts using Power Automate specifically within Information Protection.
These days companies are using so many different cloud applications to store their data. The problem is how can you keep track of what’s being shared? Who has access to this data? How do you better protect sensitive files from being leaked? In large corporations where thousands of users are constantly uploading, downloading, and sharing files it is difficult to keep track and take action when needed. This is where catching and resolving alerts via Information Protection in Microsoft Cloud App Security (MCAS) enters the picture.
Imagine a scenario where you have an internal employee sending a time-sensitive presentation to a contractor to finish but the moment the contractor clicks to open the file they cannot access it because of a file policy in place to make sensitive information private. We have all been in this situation before and know how incredibly frustrating this could be and result in alternative routes that could jeopardize sensitive data.
By leveraging Power Automate in MCAS, instead of automatically making the file private, we can configure a workflow to send an email to the employee sharing the file asking them to validate if the file can be shared. This solution gives power back to the business and allows them to make the informed decision when normally it is the IT department handling these types of requests with little to no context.
This workflow also helps to educate users on safe data practices as data leaks happen mostly because people are unaware of the information they are sharing.
Before we go into the Power Automate flow, we’ll quickly review Governance Actions. Cloud App Security connects to a number of applications through our API based app connectors which gives us more control and visibility for those apps. This could range from making files private, removing external users, putting files in quarantine, or even applying Azure Information Protection labels. But these actions are a one size fits all approach where for some users may not be the right fit for their policies. Instead, we can send alerts to Power Automate where the possibilities go way past the realm of what API connectors allow us to do.
In Power Automate, you can configure flows to request additional user validation via emails, creating ServiceNow or Jira tickets, send emails laced with conditional statements and much more. It has the capability to integrate with over 250 applications so there are a ton of different solutions you can create.
- In MCAS, navigate to settings and click on “Security extensions.”
- Click on the blue “+,” button to generate an API token & URL
Note: It is extremely important to keep your token & URL in safe place because if another user gains access to them, they will be able to log into MCAS with your permissions.
- After creating your token, navigate to Power Automate, create a new Flow and choose your Cloud App Security trigger.
- Input a connection name and the API key you generated from MCAS and choose an action, save this flow.
- Navigate back to MCAS and click on the “Playbooks,” tab, this is where you’ll be able to see all the flows you have configured in Power Automate.
Let’s take a look at an example.
Remove sensitive file sharing after requesting user validation
We’ll create a new policy that looks for credit card and social security information that is publicly shared by a specific person (good for testing). Instead of triggering a governance action for this policy, we will send the alerts to a flow we’ve created in Power Automate.
In the MCAS alerts, we can see the specified user’s file that triggered an alert for the external sharing of credit card information. From the end user perspective, the user will receive a request for validation in the form of an email and will be able to take action based on the options configured in the flow.
After choosing the action and navigating back to MCAS, the alert has been resolved due to the flow we created to auto-remediate it. By resolving alerts via the flow, this allows administrators to focus on the important alerts in their environment. The action will also be tracked in the governance log where administrators will be able to maintain visibility into the actions occurring in your cloud environment.
Note: All of the flow templates are currently being added to the Power Automate gallery, keep up with our posts for the status.
This ends the first blog post on how to auto-remediate alerts in Cloud App Security. Our next blog post will be on Auto-remediating Infrequent Country Alerts. Feel free to comment below on topics you'd like to see! Stay tuned!