Cloud Discovery policies (Microsoft)

0
(0)

 Note

We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

This article provides an overview of how to get started using Defender for Cloud Apps to gain visibility across your organization into Shadow IT using Cloud Discovery.

Defender for Cloud Apps enables you to discover and analyze cloud apps that are in use in your organization’s environment. The Cloud Discovery dashboard shows all the cloud apps running in the environment and categorizes them by function and enterprise readiness. For each app, discover the associated users, IP addresses, devices, transactions, and conducts risk assessment without needing to install an agent on your endpoint devices.

Detect new high-volume or wide app use

Detect new apps that are highly used, in terms of number of users or amount of traffic in your organization.

Prerequisites

Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports or enable the Defender for Cloud Apps integration with Defender for Endpoint, as described in Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps.

Steps

  1. On the Policies page, create a new App discovery policy
  2. In the Policy template field, select New high volume app or New popular app and apply the template.
  3. Customize policy filters to meet your organization’s requirements.
  4. Configure the actions to be taken when an alert is triggered.

 Note

An alert is generated once for each new app that was not discovered in the last 90 days.

Detect new risky or non-compliant app use

Detect potential exposure of your organization in cloud apps that don’t meet your security standards.

Prerequisites

Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports or enable the Defender for Cloud Apps integration with Defender for Endpoint, as described in Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps.

Steps

  1. On the Policies page, create a new App discovery policy.
  2. In the Policy template field, select the New risky app template and apply the template.
  3. Under App matching all of the following set the Risk Score slider and the Compliance risk factor to customize the level of risk you want to trigger an alert, and set the other policy filters to meet your organization’s security requirements.
    1. Optional: To get more meaningful detections, customize the amount of traffic that will trigger an alert.
    2. Check the Trigger a policy match if all the following occur on the same day checkbox.
    3. Select Daily traffic greater than 2000 GB (or other).
  4. Configure governance actions to be taken when an alert is triggered. Under Governance, select Tag app as unsanctioned.
    Access to the app will be automatically blocked when the policy is matched.
  5. Optional: Leverage Defender for Cloud Apps native integrations with Secure Web Gateways to block app access.

Detect use of unsanctioned business apps

You can detect when your employees continue to use unsanctioned apps as a replacement for approved business-ready apps.

Prerequisites

Steps

  1. In the Cloud app catalog, search for your business-ready apps and mark them with a custom app tag.
  2. Follow the steps in Detect new high volume or wide app usage.
  3. Add an App tag filter and choose the app tags you created for your business-ready apps.
  4. Configure governance actions to be taken when an alert is triggered. Under Governance, select Tag app as unsanctioned.
    Access to the app will be automatically blocked when the policy is matched.
  5. Optional: Leverage Defender for Cloud Apps native integrations with Secure Web Gateways to block app access.

Detect unusual usage patterns on your network

Detect anomalous traffic use patterns (uploads/downloads) in your cloud apps, that originate from users or IP addresses inside your organization’s network.

Prerequisites

Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports or enable the Defender for Cloud Apps integration with Defender for Endpoint, as described in Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps.

Steps

  1. On the Policies page, create a new Cloud Discovery anomaly detection policy.
  2. In the Policy template field, select Anomalous behavior in discovered users or Anomalous behavior in discovered IP addresses.
  3. Customize the filters to meet your organization’s requirements.
  4. If you want to be alerted only when there are anomalies involving risky apps, use the Risk score filters and set the range in which apps are considered risky.
  5. Use the slider to Select anomaly detection sensitivity.

 Note

After continuous log upload is established, the anomaly detection engine takes a few days until a baseline (learning period), is established for the expected behavior in your organization. After a baseline is established, you start receiving alerts based on discrepancies from the expected traffic behavior across cloud apps made by users or from IP addresses.

Detect anomalous cloud discovery behavior in storage apps that aren’t sanctioned

Detect anomalous behavior by a user in a cloud storage app that isn’t sanctioned.

Prerequisites

Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports or enable the Defender for Cloud Apps integration with Defender for Endpoint, as described in Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps.

Steps

  1. On the Policies page, create a new Cloud Discovery anomaly detection policy.
  2. Select the filter App category equals Cloud storage.
  3. Select the filter App tag does not equal Sanctioned.
  4. Select the checkbox to Create an alert for each matching event with the policy’s severity.
  5. Configure the actions to take when an alert is triggered.

Detect risky OAuth apps

Get visibility and control over OAuth apps that are installed inside apps like Google Workspace, Office 365, and Salesforce. OAuth apps that request high permissions and have rare community use might be considered risky.

Prerequisites

You must have the Google Workspace, Office 365, or Salesforce app connected using app connectors.

Steps

  1. On the Policies page, create a new OAuth app policy.
  2. Select the filter App and set the app the policy should cover, Google Workspace, Office 365, or Salesforce.
  3. Select Permission level filter equals High (available for Google Workspace and Office 365).
  4. Add the filter Community use equals Rare.
  5. Configure the actions to take when an alert is triggered. For example, for Office 365, check Revoke app for OAuth apps detected by the policy.

 Note

Supported for Google Workspace, Office 365, and Salesforce app stores.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 12 times, 1 visits today)
Tagged: