By @Caroline_Lee & @Sebastien Molendijk
Welcome to our third post in the Automation in Cloud App Security blog series. If you are a new reader joining us for the first time, I encourage you to go check out our last two posts (https://aka.ms/MCAS/Auto-Blog & https://aka.ms/MCAS/Auto-Triage). In this series, we showcase various Power Automate flows that help to mitigate advanced customer scenarios we see today in Microsoft Cloud App Security (MCAS).
In today’s post, Seb & I will go over a new Power Automate template that will send alerts to a user’s manager requesting for action. By sending the alert details to the manager, they can make the decision to ignore the alert, disable the user or request an investigation. This helps to take to the load off the Security team by asking the manager to validate the alert instead. Another benefit sending the alert to the user’s manager versus the SOC team is they’re able to verify with the user if the alert is a false or true positive.
This flow can be tweaked for any given policy but for the sake of this post we will focus on the multiple failed login attempts policy. If you’re unfamiliar with how this policy works, check out our built-in anomaly detection policies. We’ll start by gathering a couple of details: the user profile and the manager information for that user. When an alert is triggered for a given user, the flow will send an email to the user’s manager requesting for input. There are a couple of options they can choose from:
By giving the manager the ability to take action, this can help with the volume of alerts that are generated in MCAS; allowing the security teams to focus on ones that are true positives. All of our flow templates can be found in this Github respository: https://github.com/microsoft/Microsoft-Cloud-App-Security/tree/master/Playbooks. Let us know if you all have any feedback after trying this flow out. What other scenarios would you like us to cover? Feel free to comment below!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.