SOLVED

Microsoft IP ranges in Microsoft Cloud App Security

%3CLINGO-SUB%20id%3D%22lingo-sub-1470241%22%20slang%3D%22en-US%22%3EMicrosoft%20IP%20ranges%20in%20Microsoft%20Cloud%20App%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470241%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20noticed%20that%20Microsoft%20IP%20ranges%20in%20Microsoft%20Cloud%20App%20Security%20are%20not%20up%20to%20date.%3C%2FP%3E%3CP%3EI'm%20receiving%20multiple%20impossible%20travel%20alerts.%20When%20checking%20I%20clearly%20see%20that%20the%20IP%20are%20from%20Microsoft%20Corporation.%3C%2FP%3E%3CP%3ENormally%20MCAS%20has%20a%20list%20of%20all%20cloud%20providers%20dynamically%20with%20their%20public%20IP's.%20But%20this%20does%20not%20reflect%20in%20the%20activity%20logs.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%222020-06-17%2012_15_48-Alert%20-%20Cloud%20App%20Security.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199203i4A988FE74C561A15%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222020-06-17%2012_15_48-Alert%20-%20Cloud%20App%20Security.png%22%20alt%3D%222020-06-17%2012_15_48-Alert%20-%20Cloud%20App%20Security.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EExamples%20of%20IP's%20I%20encountered%20that%20were%20not%20dynamically%20tagged%3A%2052.149.104.180%2C%2040.68.20.47%2C%2040.69.196.76%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20assuming%20that%20does%20not%20require%20any%20user%20action%20to%20update%2Fsync%20the%20IP%20ranges%3F%3C%2FP%3E%3CP%3ECan%20somebody%20elaborate%20on%20this%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%3C%2FP%3E%3CP%3ELouis%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1470241%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi,

 

I have noticed that Microsoft IP ranges in Microsoft Cloud App Security are not up to date.

I'm receiving multiple impossible travel alerts. When checking I clearly see that the IP are from Microsoft Corporation.

Normally MCAS has a list of all cloud providers dynamically with their public IP's. But this does not reflect in the activity logs.

2020-06-17 12_15_48-Alert - Cloud App Security.png

 

Examples of IP's I encountered that were not dynamically tagged: 52.149.104.180, 40.68.20.47, 40.69.196.76

 

I'm assuming that does not require any user action to update/sync the IP ranges?

Can somebody elaborate on this issue?

 

Kind Regards

Louis

4 Replies

@LouisMastelinck 

same here, lot of activity is show from microsoft IP addresses. It's session for user in microsoft data center to access some resources? Not sure. @Microsoft?

But solution to your problem with alerts could be tagging that IP and all similar IP's. That can be done by choosing option "Tag as corporate IP and add to whitelist". 

mscloudappsec.JPG

hi Dejvio,

Thanks for your reply.
Indeed this could be an option but i see this as a short term solution.
As on the long-term I would not be able to know if an IP is still in the Microsoft IP Range or not unless I manually verify?
The same go's for new IP's that are not ingested yet by Microsoft Defender for Cloud Apps (MCAS), it would require manual work... but if you have 1000 of alerts each month this not manageable.

But I do have to say that we haven't encountered this type problem due to fact that we use 3th party resources that help with the IP enrichment as soon an alert is triggered and the alert is automatically enriched.




best response confirmed by Trevor_Rusher (Community Manager)
Solution
If this is still the case, I would recommend contacting support, as I think that is the best way to track this to your resolution but also ensure product support and engineering can engage, as needed, to solve it. I don't think there is anything we can do from "outside the MDCA box" to fix it.

Hi @LouisMastelinck, can you please share the 3rd party resources that help you update your IP ranges?

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE