Welcome back to the Automation in Cloud App Security series with Sebastien & Caroline. For those of you who are reading for the first time, this series covers advanced scenarios for our Microsoft Cloud App Security (MCAS) users; providing Power Automate flows to solve the most common customer asks the Customer Experience team sees today.
Go check out our first blog to see how we auto-remediated information protection alerts https://aka.ms/MCAS/Auto-Blog. In today’s post, we will be covering how to use Power Automate in Cloud App Security to dismiss Infrequent Country alerts.
The Infrequent Country Alert in Cloud App Security is a popular detection for many companies. The alert triggers when there is sign-in activity outside of normal user locations. For example, imagine you have an employee who normally works out of the New York corporate office but then you see there is a sign-in activity for that person from China, you probably want to investigate this type of alert. In MCAS, you can tune the policy by scoping it to specific users, groups and by the type of sign in activity (see below template).
Activity from infrequent country template in MCAS
We’ve also recently published an anomaly detection alerts investigation guide to aid administrators in distinguishing true positives vs. benign true positives vs. false positives.But what about when employees go on vacation? Or are travelling outside of the country for work? How do you manage the volume of alerts especially for large enterprises?
We have developed a new flow in Power Automate to answer these questions. If you haven’t configured a Power Automate Flow in MCAS before, check out these steps in our documentation. So, how does this flow work? Essentially, when an infrequent country alert gets triggered, we’ll send it to Power Automate. In the flow, it will look at a couple of different details:
The user profile (job title, department, email address, etc.)
If the user has an out of office (OOO) message enabled
Any groups the user is a part of
Based off these details, we can set conditions to auto-resolve the alert or request further investigation. The logic will be: If the user has an OOO message, then resolve the alert. You could also add more conditions around the user groups. For example, if you have a user who is part of a sensitive group such as Security Administrators, you could add logic to say if the user has no OOO message and is in the Security Admin group, then you may want to investigate the alert.
As folks start to take leave for vacation or staycation, this flow could help to save time in the alert investigation as admins will be able to focus on the most critical activities and lessen the sheer volume of alerts seen in MCAS. Keep an eye out for our next post and comment below if there are any other topics you’d like us to cover!