Tag: Defender for Cloud Apps

Defender for Cloud App connectors

An important piece of the security puzzle is to ensure everything that you have access to is enabled and configured fully. If you have any version of Defender for Cloud Apps you should verify that the signals from Microsoft 365 are feeding into Defender for Cloud Apps.

To verify or enable this connection fully navigate to:

http://security.microsoft.com

image

Open the Settings option from the menu on the left. From the options that appear on the right select Cloud Apps as shown above.

image

Then under the Connected Apps heading select App connectors as shown above. Ensure that connectors for Microsoft 365 and Microsoft Azure appear. If they don’t you can use the Connect an app option on the menu.

image

To verify the Microsoft 365 app is fully enabled locate the ellipse (three dots) on the right hand side of this connector and select it as shown above.

From the menu that appears select Edit Settings.

image

Ensure all the settings available to you are enabled as shown. Select the Connect to Office 365 button at the bottom of the dialog to save your settings and continue.

There is no addition cost to enabling these options and when you do you are able to monitor, audit and capture the logs for:

– Azure AD Users and Groups

– Azure AD Management events

– Azure AD Sign-in events

– Azure AD Apps

– Office 365 Activities

– Office 365 files

all thanks to Defender for Cloud apps.

Monitoring a break glass account with Defender for Cloud Apps

It is a very good thing to have a breakglass account in your environment. I have spoken about this in depth in an episode of my podcast:

Need to Know podcast – Episode 310

The challenge can be ensuring you know if and when this account is used because it typically has less protection associated with it than normal accounts in the environment.

One way to achieve this is to use Defender for Cloud Apps, which can be found by navigating to:

https://security.microsoft.com

to generate alerts when the account logs into the environment.

image

On the left hand menu of the Microsoft Security Center for your tenant expand the Policies option under the Cloud apps heading, and select the Policy management item.

Now select the +Create policy menu item on the right as shown above.

image

From the drop down that appears, select Activity policy as shown above.

image

Give the new policy a Name and Description. Select the Policy severity and the Category.

Select the option to Act on: Single activity.

In the Activities matching all of the following select:

Activity Type equals Log on

then add another filter and select:

User Name equals breakglassaccount@domain.com as Any role

as shown above. This in essence will trigger and alert whenever the breakglass account logs into the environment.

image

Configure the Alerts and Governance actions to suit your requirements. At a minimum you probably want the alert to be emailed to an external address. You can also build a Power Automate Flow from this also if you wish.

Save the new policy.

image

Locate the policy just created in the list (you can sort using the Modified column if necessary). Select the ellipse (three dots) to the right of the policy entry and from the menu that appears, select View all matches as shown above.

Ensure you test the policy by logging into your breakglass account.

image

This will now show all the matches in your environment as shown above. It is also recommended that you Save as so you can easily return these results if needed in the Activity log.

image

If you have also set up Sentinel, the alert should also flow into here as shown above. More automation and alert options are available here if needed.

The most important thing to remember that any alert generated by the login of your breakglass will NOT be immediate! It should however appear with a a few minutes of the action taking place and then a little while after in Sentinel as it flows through the logging process.

There is more that can be done to with this process, but this should get you started protecting your breakglass account.

CIAOPS Need to Know Microsoft 365 Webinar – April

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Microsoft Defender for Cloud Apps.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

April Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2304

The details are:

CIAOPS Need to Know Webinar – April 2023
Friday 28th of April 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Need to Know podcast–Episode 294

Happy holidays everyone. Hope you are all enjoying the festive season. A few updates from Microsoft including the availability of Teams Premium plus an editorial on industry burnout. I’m seeing more and more IT Professionals becoming burnt out and feeling lost. At this time of the year take some time to look forward and decide whether it is time for a change. Also, don’t be afraid to reach out and share with others what your feeling. If anyone wants to chat feel free to reach out in total confidence via director@ciaops.com.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-294-defender-for-cloud-apps/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2022.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

YouTube edition of this podcast

Azure Storage Mover–A managed migration service for Azure Storage

Attack Simulation Training: New insights into targeted user behavior

Manage your multi-cloud identity infrastructure with Microsoft Entra

Disconnected environments, proxies and Microsoft Defender for Endpoint

What’s New in Microsoft Teams | December 2022

SharePoint Roadmap Pitstop: December 2022

Cloud App Discovery/Security

What are the differences in discovery capabilities for Microsoft Defender for Cloud Apps and Cloud App Discovery?

Get started with Microsoft Defender for Cloud Apps