MCAS can generate a lot of alerts, fortunately it’s trainable. We can reduce the number of alerts that we don’t care about using several methods but one that it often overlooked is something that should be part of your standard setup of MCAS.
Enrich the data
Microsoft calls this data enrichment. In MCAS, you have two data enrichment options. One of them is to add user groups so that you can exempt a group of users from a policy or only apply a policy to a group of users. The other enrichment, which I think more closely follows the definition of an enrichment, is to provide MCAS with a list of IP addresses that you trust.
‘Data Enrichment’ is actually located under the gear icon next to your name when you’re logged into CAS. Click the ‘IP address ranges’ option and then add your trusted IP addresses. This will make your policies ignore any access activity from those locations.
When adding user groups to MCAS you’ll find that you can import groups from Azure AD and also that MCAS creates a few groups automatically. In the figure above, you’ll see that MCAS has create a group for External users, Administrators and monitored Applications. What you can’t do is create a group here. You’ll need to first create them in Azure AD and then import them into MCAS.
Getting MCAS setup should have been your first task but if you missed it, enriching the data will help you train MCAS, reduce the number of false positives and purely information alerts.
All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Kits, papers, MSP training and more. https://www.thirdtier.net