Cloud App Discovery with MCAS & MDE for Shadow IT monitoring and integration with Azure Sentinel
Cloud discovery is one of the most interesting functions available with the Cloud App Discovery product. With Cloud Discovery, organizations will get insights into the application events and activities and most important the “Shadow IT” part of the network.
Cloud App Security and Defender for Endpoint can be combined to share the logic from each product. Based on the current work environments more and more toolings are cloud-based, for the AzureAD or other identity managed apps not a real issue. The biggest risk is available with the Shadow IT/ unmanaged IT applications and data leaks out from the organization. Following some study’s 80% of employees use unauthorized cloud applications. In many cases, IT management has lost track and therefore the ability to control the data. New apps are launched on the market almost daily, meaning that restrictions are only a small solution against shadow IT.
Microsoft Cloud App Security (MCAS) can detect multiple activities for the Shadow IT view. In this blog the explanation of the integration with Defender for Endpoint and Cloud App Discovery for getting the Shadow IT data directly from Cloud App Security and integrate the data with Azure Sentinel.
What is cloud discovery?
Cloud Discovery, which is one of the MCAS features, helps organizations to identify application and user activities, traffic, and usage hours for each application. For example the default storage app is OneDrive, with Cloud discovery it is possible to detect and block other cloud storage apps like Dropbox, Box and more.
The Defender for Endpoint and Cloud App Discovery integration is quite easy to enable when matching all their requirements. Quickly you need to enable in both products the integration. More detailed steps later during the blog.
First, the needed requirements which are needed for the Cloud App Discovery functionality.
- Microsoft Cloud App Security license available ( note: Azure Active Directory P1 is not enough)
- Defender for Endpoint license available
- Supported Windows 10 OS
- Windows 10 1709 with KB4493441
- Windows 10 1803 with KB4493464
- Windows 10 1809 with KB4489899
- All versions above 1809
- Defender for Endpoint onboarding completed
- Real-time protection enabled
- Cloud-delivery protection enabled
- Network protection configured
Continuous reports give the option to import app events into Cloud App Security. Based on this blog we have the focus on Defender for Endpoint. Nice to know, more integrations are available with Log Collectors, Secure Web Gateway support – such as Zscaler.
Enable the integration in MDE & MCAS
Defender for Endpoint integrates with Microsoft Cloud App Security with the Defender for Endpoint agent. Cloud App Security uses the traffic information collected by Microsoft Defender for Endpoint (MDE). The native integrations work on each Windows 10 machine in different network environments ( public, Wi-Fi, remote access, or any other connection method)
Defender for Endpoint
First, enable the MCAS integration from the Defender for Endpoint portal. For enabling the feature – follow the steps below:
- Go to security.microsoft.com
- Open settings – Endpoints
- Click on advanced features
- Enable the Microsoft Cloud App Security feature
Custom network indicator feature
For the actions, it is needed to enable the Custom network indicators feature. With the custom network indicator, it is possible to block connections to IP addresses, domains, or URLs.
Go to the same MDE portal, and enable the Custom network indicators feature.
For the network indicator feature devices must be running Windows 10 version 1709 or later. The feature requires Defender for Endpoint version 4.18.1906.3 or higher.
Microsoft Cloud App Security
In the Microsoft Cloud App Security portal, the settings are visible for configuring the response actions from MCAS. The Microsoft Defender for Endpoint integration can be done later if needed.
Note: Once the integration is done in both products, each app marked as unsanctioned will be added to the MDE custom indicators list. With network protection feature on block – each URL indicator will be blocked on the device.
For enabling the integration:
- Go to the MCAS portal
- Open Settings
In the setting view open the Microsoft Defender for Endpoint setting and enable the Microsoft Defender for Endpoint integration with the check-box Enforce app access.
Cloud Discovery In Cloud App Security
Let’s have a look at how it looks on the MCAS side after enabling the connector. After some time the first data is collected from the endpoints. For the first view – go to Cloud App Security and select Discover – Cloud Discovery dashboard. Now the Win10 Endpoint Users Continuous report is visible at the right top of the dashboard.
Based on the data all the discovered apps information is visible.
With the Win10 Endpoint user discovery – the app Dropbox is detected. For checking the cloud app usage click on the tab: Cloud App usage.
With the result – visible in the cloud app usage and data uploads from the local systems to Dropbox. More detailed information will follow in one of the next blogs.
Azure Sentinel data connector
Azure Sentinel gives a built-in data connector for Cloud App Security. With the Cloud App Security data connector, you can ingest alerts and discovery data to Log Analytics. Part of Sentinel is the built-in Microsoft Cloud App Security dashboard for visualizing the data.
Connect MCAS with Sentinel
Before connecting MCAS with Azure Sentinel it is required to enable the integration from MCAS.
- Go to Cloud App Security Portal
- Click on Settings -> Security extensions
- Now click on the SIEM agents tab and choose the option Azure Sentinel
- Now during the wizard enable the data types for Alerts and Discovery Logs. If needed custom filters can be created to filter the exported data.
Connect Azure Sentinel with MCAS
Connecting Cloud App Security from Sentinel is possible with the built-in connector. For enabling the connector use the following steps:
- Go to Azure Sentinel
- Click on Data connectors
- Search for Microsoft Cloud App Security
- Now open the connector page and connect the Microsoft Cloud App Security instance into Azure Sentinel with the button Connect.
- Enable the Alerts and optional the Cloud Discovery Logs
For checking the data event collection. Use Some basic KQL query’s for the SecurityAlert and McasShadowItReporting data tables.
All security alerts with the product Cloud App Security
SecurityAlert | where ProductName == “Microsoft Cloud App Security” | summarize arg_max(TimeGenerated, *) by SystemAlertId
| sort by TimeGenerated
All Cloud APp Security Shadow IT Reporting logs
| sort by TimeGenerated
Azure Sentinel workbook
Based on the Azure Sentinel Cloud App Security data connector you can use the data. When data has been ingested in the Log Analytics workspace – you can use the built-in MCAS workbook in Azure Sentinel for visualizing the application usage in the environment.
For using the built-in workbook:
- Go to Azure Sentinel
- Click on Workbooks
- Click on Templates and search for Microsoft Cloud App Security
- Now click on the Microsoft Cloud App Security – discovery logs template
- Save the workbook
Azure Sentinel MCAS Analytics rule
The next step with all the connections active is sending the alerts/ incidents directly to Azure Sentinel. For the incident creation – enable the analytics rule or use the Microsoft 365 preview connector.
For creating the MCAS analytics rule in Azure Sentinel go to the Sentinel instance and open Analytics. Now search for the rule template with the name: Create incidents based on Microsoft Cloud App Security alerts and click on Create rule
If needed optimize the rule logic with custom filtering or include, exclude specific alerts. Tip: Rod Trent posted some time ago a blog with some advice for the MCAS alert exclusion. Recommended is to exclude the following alerts:
- System alerts
In this blog, I have covered how you can collect information to control Shadow IT management. With the Cloud App Security tool more actions are possible, like block apps based on the indicators and the application flow with automated actions. See the following blogs for more reputation based block actions with MCAS, MDE & Endpoint Manager: Block low reputation apps or newly detected cloud apps with Microsoft Defender for Endpoint, MCAS and Endpoint Manager
More details in the next blogs about interesting features. For more information about MCAS, the blog from Sami Lamppu is highly recommended.