0
(0)

Note

We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

Microsoft Defender for Cloud Apps integrates with Microsoft Defender for Identity to provide user entity behavioral analytics (UEBA) across a hybrid environment – both cloud app and on-premises, for more information, see Tutorial: Investigate risky users. For more information about the machine learning and behavioral analytics provided by Defender for Identity, see What is Defender for Identity?

 Note

Defender for Cloud Apps does not send email notifications for Defender for Identity alerts. However, you can configure email notifications for them in the Defender for Identity portal.

Prerequisites

For complete user investigation across a hybrid environment, you must have:

  • A valid license for Microsoft Defender for Identity connected to your Active Directory instance
  • You must be an Azure Active Directory global admin to enable integration between Defender for Identity and Defender for Cloud Apps

 Note

  • If you don’t have a subscription for Microsoft Defender for Cloud Apps, you will still be able to use Defender for Cloud Apps to get Defender for Identity insights.
  • Defender for Identity administrators may require new permissions to access Defender for Cloud Apps. To learn how to assign permissions to Defender for Cloud Apps, see Manage admin access.

Enable Defender for Identity

To enable Defender for Cloud Apps integration with Defender for Identity:

  1. In Defender for Cloud Apps, under the settings cog, select Settings.

    Settings menu.

  2. Under Threat Protection, select Microsoft Defender for Identity.

    enable azure advanced threat protection.

  3. Select Enable Microsoft Defender for Identity data integration and then click Save.

 Note

It may take up to 12 hours until the integration takes effect.

After enabling Defender for Identity integration, you’ll be able to see on-premises activities for all the users in your organization. You will also get advanced insights on your users that combine alerts and suspicious activities across your cloud and on-premises environments. Additionally, policies from Defender for Identity will appear on the Defender for Cloud Apps policies page. For a list of Defender for Identity policies, see Security alerts. To edit these policies, see Excluding entities from detections.

You should also use the Defender for Identity configuration links to configure Defender for Identity settings that are relevant to Defender for Cloud Apps. Use the following information to learn more about these settings:

Disable Defender for Identity

To disable Defender for Cloud Apps integration with Defender for Identity:

  1. In Defender for Cloud Apps, under the settings cog, select Settings.
  2. Under Threat Protection, select Microsoft Defender for Identity.
  3. Clear Enable Microsoft Defender for Identity data integration and then click Save.

 Note

When the integration is disabled, existing Defender for Identity data is kept in accordance with Defender for Cloud Apps retention policies but the Identity Security Posture assessments section is removed.

Known issues

Missing SIEM alert updates

This issue affects alerts that are triggered more than once. The first instance of the alert is sent to the SIEM, but subsequent triggers of the same alert are not sent.

Resolution

No known resolution.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.