This article is contributed. See the original author and article here.
By Caroline Lee & Sebastien Molendijk
Welcome to our third post in the Automation in Cloud App Security blog series. If you are a new reader joining us for the first time, I encourage you to go check out our last two posts (https://aka.ms/MCAS/Auto-Blog & https://aka.ms/MCAS/Auto-Triage). In this series, we showcase various Power Automate flows that help to mitigate advanced customer scenarios we see today in Microsoft Cloud App Security (MCAS).
In today’s post, Seb & I will go over a new Power Automate template that will send alerts to a user’s manager requesting for action. By sending the alert details to the manager, they can make the decision to ignore the alert, disable the user or request an investigation. This helps to take to the load off the Security team by asking the manager to validate the alert instead. Another benefit sending the alert to the user’s manager versus the SOC team is they’re able to verify with the user if the alert is a false or true positive.
This flow can be tweaked for any given policy but for the sake of this post we will focus on the multiple failed login attempts policy. If you’re unfamiliar with how this policy works, check out our built-in anomaly detection policies. We’ll start by gathering a couple of details: the user profile and the manager information for that user. When an alert is triggered for a given user, the flow will send an email to the user’s manager requesting for input. There are a couple of options they can choose from:
- Dismiss Alert: this will dismiss the alert in Cloud App Security
- Disable User: this will disable the user in AzureAD
- Request an investigation: this will send a message to a SOC teams channel with the incident details
By giving the manager the ability to take action, this can help with the volume of alerts that are generated in MCAS; allowing the security teams to focus on ones that are true positives. All of our flow templates can be found in this Github respository: https://github.com/microsoft/Microsoft-Cloud-App-Security/tree/master/Playbooks. Let us know if you all have any feedback after trying this flow out. What other scenarios would you like us to cover? Feel free to comment below!
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.