Whitelisting your client's IP Range in MCAS

How to whitelist corporate IP range in Microsoft Cloud App Security. Ultimately reducing false positives in your SOC.

Whitelisting your client's IP Range in MCAS
Cloud App Security

If your client has a large staff base and sizeable infrastructure then you're going to probably run up a lot of false positive security alerts unless you whitelist the company's IP range. Here MCAS has been up and running for a little while with stacks of alerts coming through, but upon investigation it seems a lot of the IP addresses relate to the companies IP range. Get them whitelisted and reduce ticket fatigue for the SOC team!

Microsoft Cloud App Security

PIM Elevation

You'll need to elevate to Security Adminstrator at the AD level before you can do any form of whitelisting. Without elevating to this role you won't even see the option in MCAS to whitelist an IP range.

IP Range Whitelisting in MCAS

Once you've elevated head to MCAS @ https://COMPANYNAME.portal.cloudappsecurity.com

Select the system config drop down in the top right and you'll see "IP Address ranges" bottom of the list.

If you've elevated correctly you should see this blue plus icon (circled below). You might have to logout of his portal and back in again after you've elevated if you don't see it on refresh.

You'll notice lots of default whitelisting here from renown companies such as Cloudflare, Amazon and Cisco for example.

Now, head to the blue plus icon and you'll see the configuration for whitelisting IP ranges for the company. Simple as that! Make sure that category and tags are correctly set. You should now see a redcued number of false positives being generated.