question

IPer-8261 avatar image
0 Votes"
IPer-8261 asked MarileeTurscak-MSFT answered

MCAS triggers alerts for a whitelisted IP

We have configured a policy that triggers an alert if a user logs in from a country that is not allowed.
The thing is that we occasionally have users connecting from this countries (business trips, holidays, etc). We have whitelisted these IP's (all the IP are static) as corporate but the policy keeps triggering.

The alerts show the whitelisted IP.

The whitelist is performed in the "IP address ranges" from MCAS.

Thanks!


azure-security-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

As far as I know, if the alert is triggered by the country setting, it will still send even if you have whitelisted the IP. When you get an alert there is a link for feedback, which you can provide for this issue.

One option would be to pipe your alert into Azure Sentinel and then add to the alert with your IPs so that you can pay attention to those alerts instead. https://docs.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.