Reducing the number of false positive in MCAS

MCAS can generate a lot of alerts, fortunately it’s trainable. We can reduce the number of alerts that we don’t care about using several methods but one that it often overlooked is something that should be part of your standard setup of MCAS.

Enrich the data

Microsoft calls this data enrichment. In MCAS, you have two data enrichment options. One of them is to add user groups so that you can exempt a group of users from a policy or only apply a policy to a group of users. The other enrichment, which I think more closely follows the definition of an enrichment, is to provide MCAS with a list of IP addresses that you trust.

Data enrichment options

 ‘Data Enrichment’ is actually located under the gear icon next to your name when you’re logged into CAS. Click the ‘IP address ranges’ option and then add your trusted IP addresses. This will make your policies ignore any access activity from those locations.

Add user groups to MCAS

When adding user groups to MCAS you’ll find that you can import groups from Azure AD and also that MCAS creates a few groups automatically. In the figure above, you’ll see that MCAS has create a group for External users, Administrators and monitored Applications. What you can’t do is create a group here. You’ll need to first create them in Azure AD and then import them into MCAS.

Getting MCAS setup should have been your first task but if you missed it, enriching the data will help you train MCAS, reduce the number of false positives and purely information alerts.

All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Kits, papers, MSP training and more.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.