Split an MCAS Alert to get the notification you need

Split an Alert

We like to have severe alerts be delivered to channels in Microsoft Teams where they can be reviewed quickly. I also sometimes want low severity alerts too, but I want those to stay within Microsoft Cloud App Security (MCAS) as informational. Technically MCAS can’t do this. What if we want both low and high severity alerts? MCAS doesn’t differentiate for us so we have to split the policy into two policies so that we can set different thresholds and send or not send the alerts generated if we want to be alerted on both low and high-risk events.

Activity from Anonymous IP policy

Let’s say that you have some users using VPN connections that are triggering the Activity from anonymous IP addresses policy. We don’t want to get alerted for their login via anonymous IP’s. We only want alerts from unexpected users using VPN and we want our expected anonymous IP alerts to be informational, rather than severe.

In the case where we want to alert for anonymous IP usage (the default policy) we want to add an exclusion filter so that our users that we expect to use anonymous VPN don’t throw alerts. In the image below I’ve added a filter to exclude my group of users that we are expecting to use VPN.

Now when we get an alert to this policy, we’ll know that someone we haven’t authorized is using VPN to attempt access to our network. We can then choose to have an automatic action taken like signing the user out or suspending the account.

However, I’m a little worried about giving a blank check to our known anonymous IP users because while it could be them, it could also be an intruder attacking their account. For this I would create an identical rule and reverse it so that in the Include section I would put my VPN user group (HCS Technical in the figure above) and make it informational rather than raising a higher alert into our Teams channel.

Using this method, I’ve setup MCAS to send me two levels of alert. We have a severe alert being delivered to our Teams channel when an unauthorized used uses VPN and an informational alert when an authorized user uses VPN.

All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Kits, papers, MSP training and more. https://www.thirdtier.net

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.