What’s new in Microsoft Defender for Cloud Apps

0
(0)

 Note

We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

Applies to: Microsoft Defender for Cloud Apps

This article is updated frequently to let you know what’s new in the latest release of Microsoft Defender for Cloud Apps.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: https://docs.microsoft.com/api/search/rss?search=%22This+article+is+updated+frequently+to+let+you+know+what%27s+new+in+the+latest+release+of+Cloud+App+Security%22&locale=en-us

 Note

Threat protection product names from Microsoft are changing. Read more about this and other updates here. We’ll be using the new names in future releases.

 Note

In November 2021, Defender for Cloud Apps updated its IP addresses in the App connectors and Access and session controls sections. Please update the IP addresses in your third-party apps and network appliance rules accordingly. For more information, see the App connector and Access and session controls documentation.

For more information on what’s new with other Microsoft Defender security products, see:

Defender for Cloud Apps release 216 and 217

December 26, 2021

Defender for Cloud Apps release 214 and 215

November 28, 2021

  • NetDocuments app connector available in public preview
    A new app connector for NetDocuments is available in public preview. You can now connect Microsoft Defender for Cloud Apps to NetDocuments to monitor and protect users and activities. For more information, see Connect NetDocuments to Microsoft Defender for Cloud Apps.

Cloud App Security release 212 and 213

October 31, 2021

  • Impossible travel, activity from infrequent countries/regions, activity from anonymous IP addresses, and activity from suspicious IP addresses alerts will not apply on failed logins.
    After a thorough security review, we decided to separate failed login handling from the alerts mentioned above. From now on, they’ll only be triggered by successful login cases and not by unsuccessful logins or attack attempts. Mass failed login alert will still be applied if there are anomalous high amount of failed login attempts on a user. For more information, see Behavioral analytics and anomaly detection.
  • New anomaly detection: Unusual ISP for an OAuth app
    We’ve extended our anomaly detections to include suspicious addition of privileged credentials to an OAuth app. The new detection is now available out-of-the-box and automatically enabled. The detection can indicate that an attacker has compromised the app and is using it for malicious activity. For more information, see Unusual ISP for an OAuth app.
  • New detection: Activity from password-spray associated IP addresses
    This detection compares IP addresses performing successful activities in your cloud applications to IP addresses identified by Microsoft’s threat intelligence sources as recently performing password spray attacks. It alerts about users that were victims of password spray campaigns and managed to access your cloud applications from those malicious IPs. This new alert will be generated by the existing Activity from suspicious IP addresses policy. For more information, see Activity from suspicious IP addresses.
  • Smartsheet and OneLogin API connectors are now in general availability
    Smartsheet and OneLogin API connectors are now in general availability. You can now connect Microsoft Cloud App Security to Smartsheet and to OneLogin to monitor and protect users and activities. For more information, see Connect Smartsheet and Connect OneLogin.
  • New Shadow IT integration with Open Systems
    We’ve added native integration with Open Systems providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Open Systems.

Cloud App Security release 209, 210, and 211

October 10, 2021

  • Slack API connector is now in general availability
    Slack API connector is in general availability, giving you more visibility in to, and control over, how your app is used in your organization. For more information, see How Cloud App Security helps protect your Slack Enterprise.
  • New warn experience for monitored apps with Microsoft Defender for Endpoint is now in general availability
    Cloud App Security has extended its native integration with Microsoft Defender for Endpoint. You can now apply soft block on access to apps marked as monitored using Microsoft Defender for Endpoint’s network protection capability. End users will be able to bypass the block. The block bypass report will be available in Cloud App Security’s discovered app experience. For more information, see:

  • New discovered app experience in general availability
    As part of continuous improvement of our entity experiences, we’re introducing a modernized discovered app experience to cover discovered web apps and OAuth apps and provide a unified view of an application entity. For more information, see Working with the app page.

Cloud App Security release 208

August 22, 2021

  • New discovered app experience in public preview
    As part of continuous improvement of our entity experiences, we’re introducing a modernized discovered app experience to cover discovered web apps and OAuth apps and provide a unified view of an application entity. For more information, see Working with the app page.
  • App governance add-on to Cloud App Security available in public preview
    The app governance add-on to Microsoft Cloud App Security is a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. For more information:

  • Smartsheet app connector available in public preview
    A new app connector for Smartsheet is available in public preview. You can now connect Microsoft Cloud App Security to Smartsheet to monitor and protect users and activities. For more information, see Connect Smartsheet to Microsoft Cloud App Security.

Cloud App Security release 207

August 8, 2021

  • New warn experience for monitored apps with Microsoft Defender for Endpoint (public preview)
    Cloud App Security has extended its native integration with Microsoft Defender for Endpoint (MDE). You can now apply soft block on access to apps marked as monitored using Microsoft Defender for Endpoint’s network protection capability. End users will be able to bypass the block. The block bypass report will be available in Cloud App Security’s discovered app experience. For more information, see:

Cloud App Security release 206

July 25, 2021

  • New Cloud Discovery Open Systems log parser
    Cloud App Security’s Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the Open Systems format. For a list of supported log parsers, see Supported firewalls and proxies.

Cloud App Security release 205

July 11, 2021

  • Zendesk app connector available in public preview
    A new app connector for Zendesk is available in public preview. You can now connect Microsoft Cloud App Security to Zendesk to monitor and protect users and activities. For more information, see Connect Zendesk.
  • New Cloud Discovery parser for Wandera
    Cloud Discovery in Cloud App Security analyzes a wide range of traffic logs to rank and score apps. Now, Cloud Discovery includes a built-in log parser to support the Wandera format. For a list of supported log parsers, see Supported firewalls and proxies.

Cloud App Security release 204

June 27, 2021

  • Slack and OneLogin app connectors available in public preview
    New app connectors are now available for Slack and OneLogin in public preview. You can now connect Microsoft Cloud App Security to Slack and to OneLogin to monitor and protect users and activities. For more information, see Connect Slack and Connect OneLogin.

Cloud App Security release 203

June 13, 2021

  • Expose verified publisher indicating in O365 OAuth apps
    Cloud App Security now surfaces whether a publisher of an Office 365 OAuth app has been verified by Microsoft to enable higher app trust. This feature is in a gradual rollout. For more information, see Working with the OAuth app page.
  • Azure Active Directory Cloud App Security admin
    A Cloud App Security admin role has been added to Azure Active Directory (AAD), allowing the assignment of global admin capabilities to Cloud App Security alone via AAD. For more information, see Office 365 and Azure AD roles with access to Cloud App Security.
  • Export custom tag and app domains per discovered app
    Export to CSV in the discovered apps page now include the application’s custom app tags and associated web domains. For more information, see Working with discovered apps.

     Important

    Enhanced proxy URL for access controls (gradual rollout)
    Starting in early July 2021, we will change our access endpoint from <mcas-dc-id>.access-control.cas.ms to access.mcas.ms. Make sure you update your network appliance rules before the end of June, as this can lead to access issues. For more information, see Access and session controls

Cloud App Security release 200, 201, and 202

May 30, 2021

  • Authentication Context (Step-Up Authentication) in public preview
    We’ve added the ability to protect users working with proprietary and privileged assets by requiring Azure AD Conditional Access policies to be reassessed in the session. For example, if a change in IP address is detected because an employee in a highly sensitive session has moved from the office to the coffee shop downstairs, step-up can be configured to reauthenticate that user. For more information, see Require step-up authentication (authentication context) upon risky action.

Cloud App Security release 199

April 18, 2021

  • Service Health Dashboard availability
    The enhanced Cloud App Security Service Health Dashboard is now available within the Microsoft 365 Admin portal for users with Monitor service health permissions. Learn more about Microsoft 365 Admin roles. In the dashboard, you can configure notifications, allowing relevant users to stay updated with the current Cloud App Security status. To learn how to configure email notifications and additional information about the dashboard, see How to check Microsoft 365 service health.
  • AIP support deprecated
    Label management from the Azure Information Protection portal (classic) is deprecated beginning April 1, 2021. Customers without AIP extended support should migrate their labels to Microsoft Information Protection to continue using sensitivity labels in Cloud App Security. Without migration to Microsoft Information Protection or AIP extended support, file policies with sensitivity labels will be disabled. For more information, see Understanding Unified Labeling migration.
  • DLP near real-time rollout completed for Dropbox, ServiceNow, AWS, and Salesforce
    New near real-time file scanning is available in Dropbox, ServiceNow and Salesforce. New near real-time S3 bucket discovery is available in AWS. For more information, see Connect apps.
  • Public preview for overriding privilege sensitivity labels
    Cloud App Security supports overriding sensitivity labels for files that were labeled outside Cloud App Security. For more information, see Apply labels directly to files.
  • Extended Advanced Hunting events
    We’ve expanded the available events in Cloud App Security. Microsoft 365 Defender Advanced Hunting now includes telemetry from Microsoft OneDrive, SharePoint Online, Office 365, Dynamics 365, Dropbox, Power BI, Yammer, Skype for Business, and Power Automate, in addition to Exchange Online and Teams, which were available until now. For more information, see Apps and services covered.

Cloud App Security release 198

Released April 4, 2021

  • Exclusion of Azure Active Directory groups entities from discovery
    We’ve added the ability to exclude discovered entities based on imported Azure Active Directory groups. Excluding AAD groups will hide all discovery-related data for any users in these groups. For more information, see Exclude entities.
  • API connector support for ServiceNow Orlando and Paris versions
    We have added support for the ServiceNow API connector to the Orlando and Paris versions. For more information, see Connect ServiceNow to Microsoft Cloud App Security.
  • Always apply the selected action even if data cannot be scanned
    We’ve added a new checkbox to Session policies that treats any data that can’t be scanned as a match for the policy.

     Note

    Deprecation notice: this feature replaces both Treat encrypted as match, and Treat files that cannot be scanned as match, in addition to adding new functionality. New policies will contain the new checkbox by default, deselected by default. Pre-existing policies will be migrated to the new checkbox on May 30. Policies with either or both options selected will have the new option selected by default; all other policies will have it deselected.

Cloud App Security release 197

Released March 21, 2021

  • Status page deprecation notice
    On April 29, Cloud App Security will deprecate the service health status page, replacing it with the Service Health Dashboard within the Microsoft 365 Admin portal. The change aligns Cloud App Security with other Microsoft services and provides an enhanced service overview.

     Note

    Only users with Monitor service health permissions can access the dashboard. For more information, see About admin roles.

    In the dashboard, you can configure notifications, allowing relevant users to stay updated with the current Cloud App Security status. To learn how to configure email notifications and additional information regarding dashboard, see How to check Microsoft 365 service health.

  • OAuth app consents link
    We’ve added the ability to scope activity investigations to specific OAuth app’s consent activities directly from the OAuth app view. For more information, see How to investigate suspicious OAuth apps.

Cloud App Security release 195 and 196

Released March 7, 2021

  • Enhanced Shadow IT discovery with Microsoft Defender for Endpoint
    We’ve further improved our Defender for Endpoint integration by leveraging enhanced signals for the Defender agent, providing more accurate app discovery and organizational user context.

    To benefit from the latest enhancements, make sure your organizational endpoints are updated with the latest Windows 10 updates:

  • Configurable session lifetime
    We’re enabling customers to configure a shorter session lifetime for Conditional Access App Control. By default, sessions proxied by Cloud App Security have a maximum lifetime of 14 days. For more information about shortening session lifetimes, contact us at [email protected].

Cloud App Security release 192, 193, and 194

Released February 7, 2021

  • Updates to Policies page
    We’ve updated the Policies page, adding a tab for every policy category. We also added an All policies tab to give you a complete list of all your policies. For more information about the policy categorization, see Policy types.
  • Enhanced Office 365 OAuth apps export
    We’ve enhanced the Office 365 OAuth apps activities export to CSV file with the Redirect URL of the OAuth apps. For more information about exporting OAuth app activities, see OAuth app auditing.
  • Updates to the portal interface
    In the coming months, Cloud App Security will be updating its User Interface to provide a more consistent experience across Microsoft 365 security portals. Learn more

Cloud App Security release 189, 190, and 191

Released January 10, 2021

  • New log collector version
    Upgraded Log collector for Shadow IT discovery is now available. It includes the following updates:

    • We’ve upgraded our Pure-FTPd version to the latest version: 1.0.49. TLS < 1.2 is now disabled by default.
    • We’ve disabled the “octet-counted” framing feature in RSyslog to prevent failed processing.

    For more information, see Configure automatic log upload for continuous reports.

  • New anomaly detection: Suspicious addition of credentials to an OAuth app
    We’ve extended our anomaly detections to include suspicious addition of privileged credentials to an OAuth app. The new detection is now available out-of-the-box and automatically enabled. The detection can indicate that an attacker has compromised the app and is using it for malicious activity. For more information, see Unusual addition of credentials to an OAuth app.
  • Enhanced auditing for Shadow IT discovery activities
    We’ve updated the auditing for Shadow IT activities to include actions performed by administrators. The following new activities are now available in the activity log and can be used as part of your Cloud App Security investigation experience.

    • Tagging or untagging apps
    • Creating, updating, or deleting log collectors
    • Creating, updating, or deleting data sources
  • New Data Enrichment REST API endpoints
    We’ve added the following Data Enrichment API endpoints enabling you to fully manage your IP address ranges using the API. Use our sample management script to help you get started. For more information about ranges, see Working with IP ranges and tags.

Cloud App Security release 187 and 188

Released November 22, 2020

  • New Shadow IT integration with Menlo Security
    We’ve added native integration with Menlo Security providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Menlo Security.
  • New Cloud Discovery WatchGuard log parser
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the WatchGuard format. For a list of supported log parsers, see Supported firewalls and proxies.
  • New permission for Cloud Discovery global admin role
    Cloud App Security now allows users with the Cloud Discovery global admin role to create API tokens and use all Cloud Discovery related APIs. For more information about the role, see Built-in Cloud App Security admin roles.
  • Enhanced sensitivity slider: Impossible travel
    We’ve updated the sensitivity slider for impossible travel to configure different sensitivity levels for different user scopes, allowing enhanced control over the fidelity of alerts for user scopes. For example, you can define a higher sensitivity level for administrators than for other users in the org. For more information about this anomaly detection policy, see Impossible travel.
  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn’t include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

Cloud App Security release 184, 185, and 186

Released October 25, 2020

  • New enhanced alert monitoring and management experience
    As part of our ongoing improvements to monitoring and managing alerts, the Cloud App Security Alerts page has been improved based on your feedback. In the enhanced experience, the Resolved and Dismissed statuses are replaced by the Closed status with a resolution type. Learn more
  • New global severity setting for signals sent to Microsoft Defender for Endpoints
    We’ve added the ability to set the global severity setting for signals sent to Microsoft Defender for Endpoint. For more information, see How to integrate Microsoft Defender for Endpoint with Cloud App Security.
  • New security recommendations report
    Cloud App Security provides you with security configuration assessments for your Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) giving you insights into security configuration gaps in your multi-cloud environment. Now you can export detailed security recommendation reports to help you monitor, understand, and customize your cloud environments to better protect your organization. For more information about exporting the report, see Security recommendations report.
  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn’t include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.
  • Updates to the Cloud App Catalog
    We’ve made the following updates to our Cloud App Catalog:

    • Teams Admin Center has been updated as a standalone app
    • Microsoft Office 365 Admin Center has been renamed to Office Portal
  • Terminology update
    We’ve updated the term machine to device as part of the general Microsoft effort to align terminology across products.

Cloud App Security release 182 and 183

Released September 6, 2020

  • Access and session controls for Azure portal GA
    Conditional Access App Control for the Azure portal is now generally available. For information about configuring these controls, see the Deployment guide.

Cloud App Security release 181

Released August 9, 2020

  • New Cloud Discovery Menlo Security log parser
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the Menlo Security CEF format. For a list of supported log parsers, see Supported firewalls and proxies.
  • Azure Active Directory (AD) Cloud App Discovery name displays in portal
    For Azure AD P1 and P2 licenses, we’ve updated the product name in the portal to Cloud App Discovery. Learn more about Cloud App Discovery.

Cloud App Security release 179 and 180

Released July 26, 2020

  • New anomaly detection: Suspicious OAuth app file download activities
    We’ve extended our anomaly detections to include suspicious download activities by an OAuth app. The new detection is now available out-of-the-box and automatically enabled to alert you when an OAuth app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
  • Performance improvements using proxy caching for Session Controls (gradual rollout)
    We’ve made additional performance improvements to our session controls, by improving our content caching mechanisms. The improved service is even more streamlined and provides increased responsiveness when using session controls. Note that session controls don’t cache private content, aligning with the appropriate standards to only cache shared (public) content. For more information, see How session control works.
  • New feature: Save security configuration queries
    We’ve added the ability to save queries for our security configuration dashboard filters for Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This can help make future investigations even simpler by reusing common queries. Learn more about Security configuration recommendations.
  • Enhanced anomaly detection alerts
    We’ve extended the information we provide for anomaly detection alerts to include a mapping to the corresponding MITRE ATT&CK tactic. This mapping will help you understand the phase and impact of the attack and assist with your investigations. Learn more about How to investigate anomaly detection alerts.
  • Enhanced detection logic: Ransomware activity
    We’ve updated the detection logic for Ransomware activity to provide improved accuracy and reduced alert volume. For more information about this anomaly detection policy, see Ransomware activity.
  • Identity Security Posture reports: Tags visibility
    We’ve added entity tags to Identity Security Posture reports providing additional insights about entities. For example, the Sensitive tag can help you identify risky users and prioritize your investigations. Learn more about Investigating risky users.

Cloud App Security release 178

Released June 28, 2020

  • New security configurations for Google Cloud Platform (gradual rollout)
    We’ve expanded our multi-cloud security configurations to provide security recommendations for Google Cloud Platform, based on the GCP CIS benchmark. With this new capability, Cloud App Security provides organizations with a single view for monitoring the compliance status across all cloud platforms, including Azure subscriptionsAWS accounts, and now GCP projects.
  • New app connectors GA
    We’ve added the following app connectors to our portfolio of generally available API connectors, giving you more visibility into and control over how your apps are used in your organization:

  • New real-time malware detection GA
    We’ve expanded our session controls to detect potential malware using Microsoft Threat Intelligence upon file uploads or downloads. The new detection is now generally available out-of-the-box and can be configured to automatically block files identified as potential malware. For more information, see Block malware on upload.
  • Enhanced access and session controls with any IdP GA
    Access and session controls support for SAML apps configured with any identity provider is now generally available. For information about configuring these controls, see the Deployment guide.
  • Risky machine investigation enhancement
    Cloud App Security provides the ability to identify risky machines as part of your shadow IT discovery investigation. Now, we’ve added the Microsoft Defender Advanced Threat Protection Machine risk level to the machines page giving analysts more context when investigating machines in your organization. For more information, see Investigate devices in Cloud App Security.
  • New feature: Self-service disable app connector (gradual rollout)
    We’ve added the ability to disable app connectors directly in Cloud App Security. For more information, see Disable app connectors.

Cloud App Security release 177

Released June 14, 2020

  • New real-time malware detection (preview, gradual rollout)
    We’ve expanded our session controls to detect potential malware using Microsoft Threat Intelligence upon file uploads or downloads. The new detection is now available out-of-the-box and can be configured to automatically block files identified as potential malware. For more information, see Block malware on upload.
  • New access token support for access and session controls
    We’ve added the ability to treat access token and code requests as logins when onboarding apps to access and session controls. To use tokens, select the settings cog icon, select Conditional Access App Control, edit the relevant app (three dots menu > Edit app), select Treat access token and code requests as app logins, and then select Save. For more information about onboarding apps, see Onboard and deploy any app and Deploy featured apps.
  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn’t include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.
  • New documentation
    Cloud App Security documentation has been expanded to include the following new content:

Cloud App Security release 176

Released May 31, 2020

  • New activity privacy feature
    We’ve enhanced your ability to granularly determine which users you want to monitor with the ability to make activities private. This new feature enables you to specify users based on group membership whose activities will be hidden by default. Only authorized admins have the option to choose to view these private activities, with each instance being audited in the governance log. For more information, see Activity privacy.
  • New integration with Azure Active Directory (Azure AD) Gallery
    We’ve leveraged our native integration with Azure AD to give you the ability to navigate directly from an app in the Cloud App Catalog to its corresponding Azure AD Gallery app, and manage it in the gallery. For more information, see Manage apps with Azure AD Gallery.
  • New feedback option available in selected policies
    We’re interested in receiving your feedback and learning how we can help. So now a new feedback dialog gives you the opportunity to help improve Cloud App Security, when creating, modifying, or deleting a file, anomaly detection, or session policy.
  • Enhanced proxy URL suffix for session controls (gradual rollout)
    Starting June 7, 2020, we are gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn’t include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely blocklist domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.
  • Performance improvements for Session Controls (gradual rollout)
    We’ve made significant network performance improvements to our proxy service. The improved service is even more streamlined and provides increased responsiveness when using session controls.
  • New risky activity detection: Unusual failed logon
    We’ve expanded our current capability to detect risky behavior. The new detection is now available out-of-the-box and automatically enabled to alert you when an unusual failed login attempt is identified. Unusual failed login attempts may be an indication of a potential password-spray brute force attack (also known as the low and slow method). This detection impacts the overall investigation priority score of the user.
  • Enhanced table experience
    We’ve added the ability to resize table column widths so that you can widen or narrow columns to customize and improve the way you view tables. You also have the option to restore the original layout by selecting the table settings menu and choosing Default width.

Cloud App Security release 175

Released May 17, 2020

  • New Shadow IT Discovery integration with Corrata (preview)
    We’ve added native integration with Corrata providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Corrata.
  • New Cloud Discovery log parsers
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support Corrata and Cisco ASA with FirePOWER 6.4 log formats. For a list of supported log parsers, see Supported firewalls and proxies.
  • Enhanced dashboard (gradual rollout) As part of our ongoing improvements to the portal design, we are now gradually rolling out the improved Cloud App Security dashboard. The dashboard has been modernized based on your feedback and offers an enhanced user experience with updated content and data. For more information, see Gradual deployment of our enhanced dashboard.
  • Enhanced governance: Confirm User Compromised for anomaly detections
    We’ve expanded our current governance actions for anomaly policies to include Confirm User Compromised allowing you to proactively protect your environment from suspicious user activity. For more information, see Activity governance actions.

Cloud App Security release 173 and 174

Released April 26, 2020

  • New SIEM agent CEF format for alerts
    As part of our effort to enrich the alert information provided in the CEF files used by generic SIEM servers, we’ve extended the format to include the following client fields:

    • IPv4 address
    • IPv6 address
    • IP address location

      For more information, see CEF file format.

  • Enhanced detection logic: Impossible travel
    We’ve updated the detection logic for impossible travel to provide improved accuracy and reduced alert volume. For more information about this anomaly detection policy, see Impossible travel.

Cloud App Security release 172

Released April 5, 2020

  • Enhanced access and session controls with any IdP (preview)
    Access and session controls now support SAML apps configured with any identity provider. The public preview of this new feature is now gradually rolling out. To configure these controls, see the Deployment guide.
  • New bulk deanonymization of users and machines
    We’ve expanded and simplified the process of deanonymizing one or more users and machines under investigation. For more information about bulk deanonymization, see How data anonymization works.

Cloud App Security release 170 and 171

Released March 22, 2020

  • New anomaly detection: Unusual region for cloud resource (preview)
    We’ve expanded our current capability to detect anomalous behavior for AWS. The new detection is now available out-of-the-box and automatically enabled to alert you when a resource is created in an AWS region where the activity is not normally performed. Attackers often leverage an organization’s AWS credits to perform malicious activities such as crypto-mining. Detecting such anomalous behavior can help mitigate an attack.
  • New activity policy templates for Microsoft Teams
    Cloud App Security now provides the following new activity policy templates enabling you to detect potentially suspicious activities in Microsoft Teams:

    • Access level change (Teams): Alerts when a team’s access level is changed from private to public.
    • External user added (Teams): Alerts when an external user is added to a team.
    • Mass deletion (Teams): Alerts when a user deletes a large number of teams.
  • Azure Active Directory (Azure AD) Identity Protection Integration
    You can now control the severity of Azure AD Identity Protection alerts that are ingested into Cloud App Security. Additionally, if you haven’t already enabled the Azure AD Risky sign-in detection, the detection will be automatically enabled to ingest high severity alerts. For more information, see Azure Active Directory Identity Protection integration.

Cloud App Security release 169

Released March 1, 2020

  • New detection for Workday
    We’ve expanded our current anomalous behavior alerts for Workday. The new alerts include the following user geolocation detections:

  • Enhanced Salesforce log collection
    Cloud App Security now supports Salesforce’s hourly event log. Hourly event logs give you accelerated, near real-time monitoring of user activities. For more information, see Connect Salesforce.
  • Support for AWS security configuration using a master account
    Cloud App Security now supports using a master account. Connecting your master account allows you to receive security recommendations for all member accounts across all regions. For more information about connecting with a master account, see How to connect AWS Security configuration to Cloud App Security.
  • Session controls support for modern browsers
    Cloud App Security session controls now includes support for the new Microsoft Edge browser based on Chromium. While we’ll continue supporting the most recent versions of Internet Explorer and the legacy version of Microsoft Edge, the support will be limited and we recommend using the new Microsoft Edge browser.

Cloud App Security release 165, 166, 167, and 168

Released February 16, 2020

  • New block unsanctioned apps with Microsoft Defender ATP
    Cloud App Security has extended its native integration with Microsoft Defender Advanced Threat Protection (ATP). You can now block access to apps marked as unsanctioned using Microsoft Defender ATP’s network protection capability. For more information, see Block access to unsanctioned cloud apps.
  • New OAuth app anomaly detection
    We’ve expanded our current capability to detect malicious OAuth app consent. The new detection is now available out-of-the-box and automatically enabled to alert you when a potentially malicious OAuth app is authorized in your environment. This detection leverages Microsoft security research and threat intelligence expertise to identify malicious apps.
  • Log collector updates
    The Docker-based log collector was enhanced with the following important updates:

    • Container OS version upgrade
    • Java security vulnerabilities patches
    • Syslog service upgrade
    • Stability and performance improvements

      We strongly recommend that you upgrade your environment to this new version. For more information, see Log collector deployment modes.

  • Support for ServiceNow New York
    Cloud App Security now supports the latest version (New York) of ServiceNow. To learn about securing ServiceNow, see Connect ServiceNow to Microsoft Cloud App Security.
  • Enhanced detection logic: Impossible travel
    We’ve updated the detection logic for impossible travel to provide enhanced coverage and better accuracy. As part of this update, we also updated the detection logic for impossible travel from corporate networks.
  • New threshold for activity policies
    We’ve added a threshold for activity policies to help you manage the volume of alerts. Policies that trigger a large volume of matches for several days are automatically disabled. If you receive a system alert about this, you should try refining policies by adding additional filters or, if you’re using policies for reporting purposes, consider saving them as queries instead.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 21 times, 1 visits today)
Tagged: