MCAS: Judgement Day

MCAS: Judgement Day

This blog will be about how I broke my own Microsoft Cloud App Security instance.

Cloud App Security is a fantastic product, it can help you discovering and protecting all that’s in your Microsoft 365 tenant. Some time ago I wrote an article on how to automate your Cloud App Security Enrollment.

It can come in handy when you want to deploy all your custom made alerts to a new tenant.

In the mean time I added a lot more policies to my PowerShell enrollment:

*File copied to USB

*File/Folder shared with an external User

And a lot more… But that’s not what this blog will be about.

I will update the enroll script (https://call4cloud.nl/wp-content/uploads/2020/07/MCAS.txt) soon. Because till today the alert function in my own MCAS portal was broken (It’s fixed now). No alerts were triggered! It just stopped working.  I hope to receive the final answer from Microsoft why it broke but I think I know why.

Here are my two cents: The first time I tested the enrollment script for creating the activity and file policies, I forgot to remove the Policy ID (I copied from another policy…stupid me). Good thing I warned everybody in my blog about this.

But that did not stop my own MCAS from breaking down. I could not delete the other “ghost” policies. Opening Fiddler to troubleshoot MCAS only showed me the famous and beautiful 404 error when opening or deleting the policies. It’s a little bit funny. I tried to delete a non-existing policy but MCAS thought it was still there. I think it’s weird Microsoft lets you create policies with the same ID?

Conclusion:

I hope to hear the official statement of why my MCAS was not triggering alerts soon. I guess after my “oopsie” with an identical ID it was hasta la vista, alerts. I guess Microsoft did not expect the possibility to automate MCAS with PowerShell?

Leave a Reply

Your email address will not be published. Required fields are marked *