Cloud App Security provides threat protection for your cloud applications that’s enhanced with vast Microsoft threat intelligence and research. Identify high-risk usage, security incidents, and detect abnormal user behavior to prevent threats.
Cloud App Security helps you to stay ahead of attackers. You can identify anomalies in your cloud usage that may be indicative of a data breach. Cloud App Security advanced machine learning heuristics learn how each user interacts with each SaaS application and, through behavioral analysis, assesses the risks in each transaction. This includes simultaneous logins from two countries, the sudden download of terabytes of data, or multiple failed login attempts that may signify a brute force attack.
In this blog post, I will show how to identify and report on Users logging on from Risky IP Addresses outside of the United States.
From the Cloud App Security Console, Select Investigate and choose Activity Log.
From the Activity Log, you can set a filter to narrow your results. In this example, I set the following filters:
Activity Type = Log On
Location <> United States
IP Address Category = Risky
From the Activity Log, I then create a policy based on my search. Click the button New Policy from Search
From the Create Activity Policy, enter a Policy Name, Description Severity and Category – see screenshot.
Then configure the following:
- Activity Filters
- Policy Match Parameters
Activity Filters, this will be your search from the Activity Log.
Policy Match Parameters, select Single or Repeated Activity.
Alerts, select Create Alert and choose the different types: Email, Text Messages or both.
Finally, under Governance, choose which actions to automatically take: Notify User, CC User Manager, CC Additional Users (Security Team?), Suspend User, Require user to change password.
Now when a Log on is detected from a Risky IP Address outside of the US, Cloud App Security will automatically report, notify and take proper action.