Signin Risk Module about sentinelautomationmodules HOT 4 CLOSED

Assuming we use the UPN (or the ObjectID) of the user, I'm thinking on the following checks:

• Get the user's Investigation score from MCAS (if available)
• Get the user's Risk level from AAD IP
• Get stats on the user's CAP failures
• Get stats on known IPs for the user and check them against TI
• Get the risk level of the user's devices from MDE (if available)

Not sure if calculating a score ehre make sense, but providing the output of that could help.
Open to add/remove. As it might be too many items here (the TI check could be in the other module about TI)... Going against the modular approach.

from sentinelautomationmodules.

That sounds great, I would agree with not calculating a score but instead return these as separate properties so people can make their own decisions

from sentinelautomationmodules.

It seems that the MCAS API only accept API key as an authentication method... So to get the Investigation priority (which is called the threatScore in the json) it would need 2 configuration requirements. 1 create the API key (need to be done in the GUI of the MCAS portal) and 2 store that key in a key-vault to retrieve it safely from the logic app. This Investigation priority still has value in my opinion. And we can also retrieve the history of that score. But because of the config requirement, it could be a sperate module.

from sentinelautomationmodules.

Breaking it out into a separate module may make sense, not everyone will have MCAS configured/licensed anyways

from sentinelautomationmodules.