2.5 KiB
2.5 KiB
Resolve-McasInfrequentCountryAlerts
author: Sebastien Molendijk - Microsoft
This playbook allows you to automatically resolve Microsoft Cloud App Security Infrequent Country alerts based on several criterias like:
- The user out-of-office status
- The user group membership
- The user risk level status in Azure AD
Requirements
This playbook uses an API token to close the alert in MCAS, and an AAD service principal with the required permissions below to query the relevant Microsoft Graph endpoints.
| Logic App action | API | Endpoint | AAD Required Permission |
|---|---|---|---|
| Get_user_details | Microsoft Graph | /users/{user UPN} | User.Read.All |
| Get_user_manager | Microsoft Graph | /users/{user UPN}/manager | User.Read.All |
| Get_user_OOF | Microsoft Graph | /users/{user UPN}/getMailTips | Mail.Read |
| Check_group_membership | Microsoft Graph | /users/{user UPN}/checkMemberGroups | Directory.Read.All |
| Get_user_AAD_risk_status | Microsoft Graph | /riskyUsers/{user AAD object Id} | IdentityRiskyUser.Read.All |
| Resolve_Cloud_App_Security_alert | MCAS API | /cas/api/v1/alerts/resolve/ |
Additional resources
- Complete explanation and demonstration of this playbook in this video.
- Registering a service principal in Azure AD
- Microsoft Graph permissions reference
- Create an MCAS API token
Deployment
You can use the Deploy.ps1 script, after updating the required parameters in the provided parameters.json file, or use the buttons below.
