Automatically remediate Microsoft Defender for Cloud Apps infrequent country/region alerts using Power Automate

  • 10 minutes

If connections to cloud apps originate from unusual countries/regions this is often a sign that it could be some form of attack. Therefore, there are systems in Microsoft Defender for Cloud Apps to block unusual country/region requests. In most scenarios, this is a useful feature, but sometimes it might not be beneficial. Imagine a scenario where a senior business executive has gone on annual leave to a tropical island a long way from home. While they are away, one of the organizations key clients wants to place a large last-minute order. The senior business executive needs to approve an order of this size, but they are blocked from the orders app because they are in an unusual country/region.

By implementing Power Automate a more sophisticated approach to infrequent country/region alerts can be implemented. Power Automate uses flows to respond to events and automate tasks. No extra steps are necessary to integrate Power Automate with Microsoft Defender for Cloud Apps.

Steps to remove sensitive file sharing after requesting user validation with Power Automate

To remove sensitive file sharing after requesting user validation with Power Automate, perform the following steps:

  1. Create a Power Automate flow that responds to an alert generated by Microsoft Defender for Cloud Apps.

  2. This flow captures user and manager information, checks to see whether the user has an out-of-office enabled and checks group membership.

    Power Automate flow.

  3. The next task is a condition that resolves the alert in Microsoft Defender for Cloud Apps if out-of-office is turned on and the user is not part of the Executives group.

    Power Automate condition.

  4. An If no can then be added to create a message.

    Power Automate if no.

  5. This message can then be posted to Teams for the Security Operations Center (SOC) team to resolve.

    Power Automate message for SOC team.

  6. A sample Power Automate flow can be downloaded from the link in the Learn more section of the Summary unit of this module.

The following video gives you an overview of automating infrequent country/region alerts with Power Automate: