Evaluating SaaS applications using Defender for Cloud Apps

Recently, there has been much talk and gnashing of teeth over what to do about the recent LastPass breach. There is plenty of chatter about wanting to make a change and much discussion about what to actually change to.

As a LastPass customer I’m starting the process of evaluation myself and a handy tool I found to help in the decision process is Microsoft Defender for Cloud Apps (i.e. the old MCAS).


If you go into the Discover menu, you’ll find a Cloud app catalog option as shown above.


Enter the name of app you wish to search for and hit Enter.


That should give you a page load of information like that shown above, which you can drill into if you want more details.

Of course, this information should only be part of your evaluation but it does provide a lot in one place for you to reference.

Defender for Office 365 automated investigations


A while ago I wrote an article:

Improved security is a shared responsibility

in which I encouraged the use of the Report message add in to Outlook.

What you may not realise about this add-in is that not only does it provide a centralised method to manage submissions per:

Providing feedback on user reported messages

but user reported messages also trigger an automated investigation:

What alert policies trigger automated investigations?

A security administrator can also manually trigger an investigation by using the Threat Explorer per:

Example: A security administrator triggers an investigation from Threat Explorer

If you want to better understand what Automated investigation and response (AIR) is and does, have look at:

AIR in Microsoft Defender for Office 365

This triggering of an automated investigation by simply using the Report message add in is another simple way to leverage the security tools that Defender for Office 365 provides and reduce administration workload.

CIAOPS Need to Know Microsoft 365 Webinar – January


Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Defender for Business.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

January Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2301

The details are:

CIAOPS Need to Know Webinar – January 2023
Friday 27th of January 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:


or purchase them individually at:


Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Go get Defender EASM

As the MS documentation says:

Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure.

Basically you plug in your resources like:

  • Domains

  • Hostnames

  • Web Pages

  • IP Blocks

  • IP Addresses

  • ASNs

  • SSL Certificates

  • WHOIS Contacts

Defender EASM will then use these as a ‘seed’ to search through public information and report back.

Screenshot of Overview Dashboard

You’ll then discover not only if you have any vulnerabilities in things like routers, web sites, etc but you’ll also probably find a whole swag of information that you didn’t know was out there.

In short, Defender EASM, acts as kind of a scheduled ‘penetration test’ for your environment, which I think is super handy


As you can see above, it ain’t very expensive either! To me that makes it a no-brainer. In my environment I have 40 odd discovered assets making the cost 64 cents a day and just over $19 per month! Peanuts for what it provides. Best of all, you also get a a free 30 day trial to see what it is all about.

Like Microsoft Sentinel back in the day, it is still early days for this service and I expect it to improve rapidly so now is the time to jump on board and start using it to get a feel for what it is all about. I certain have, and I encourage you to do the same.

Microsoft has documentation here:

Defender EASM Overview

if you want to read more.

Custom web filtering for Microsoft Defender for Endpoint

In a recent post I showed how you can enable web filtering with Defender for Endpoint using the built in blocked categories method.

Enabling web filtering with Microsoft Defender for Endpoint

The limits of this approach are that you can only use the categories that have been provided (i.e. Adult content, High bandwidth, Legal liability, Leisure and Uncategorized). An interesting omission, in my opinion, is the ability to block social networking (i.e. Twitter, Facebook, etc).

You can achieve custom web filtering with Microsoft Defender for Endpoint if you wish using the custom indicator approach.


You’ll first need to ensure that custom network indicators have been enabled in your environment. You do this by navigating to  https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Endpoints.


From the menu that now appears, select Advanced features. Ensure that the Custom network indicators option is turned on as shown. Don’t forget to save any changes with the Save preferences button at the bottom of the page.


To enable a custom  indicator, navigate to https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Indicators. On the right you can create an indicator as File hash, IP address, URL or Certificate. In this case, select URLs/Domains. Then select the option to Add item.


Enter the URL you wish to block and select whether you wish an expiry date for this indicator. Unfortunately, you can’t use wildcard characters here, it must be the direct URL. Press the Next button to continue.


Select the action you wish to take (Allow, Audit, Warn, Block execution). It is also recommended that you select the Generate Alert option so that information can be shared with other applications such as Azure Sentinel, which I’ll cover in an upcoming article. Also, give the alert a descriptive title (I suggest you mention the particular web site you are blocking here). Scroll down the page to continue.


Enter the Alert severity, Category as well as the Recommended actions and a Description as shown above. Press the Next button at the bottom of the page when complete.


View the summary that is now displayed and press the Save button at the bottom of the screen.


You should see your entry listed as shown above. You can edit this by simply clicking on it. You also delete the indicator once you edit it.

Also note the Import menu option that allows you to import a list of items from a CSV file.

Now according to the Microsoft documentation:

Create indicators for IPs and URLs/domains

– Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

– URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode.

– Supported on machines on Windows 10, version 1709 or later, Windows 11, Windows Server 2016, Windows Server 2012 R2, Windows Server 2019, and Windows Server 2022

– Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.

– If there are conflicting URL indicator policies, the longer path is applied. That is, the more specific path.

– Only single IP addresses are supported (no CIDR blocks or IP ranges).

– Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

– Full URL path blocks can be applied on the domain level and all unencrypted URLs

– There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. My personal experience is around 45 minutes.


Enforced result on Edge. If you use third party browsers, and the site is encrypted (i.e. uses https) it will not be blocked as mentioned above.

Adding indicators using the web and even importing using a CSV is somewhat time consuming and cumbersome, especially if you have a standard set you wish to block. I’ll show you how to add indicators using a script and API calls in an upcoming post. so stay tuned for that.

Remember, that you can use these indicators to not only block but also warn and audit if you wish. You can also have a number of different indicators and types. I’d also recommend you take a look at this article from Microsoft:

Best practices for optimizing custom indicators

when you start creating these custom indicators.

Incident overview with Defender for Business


When incidents occur on device endpoints you can view and manage these using the Defender for Endpoint tools in the Microsoft 365 Security Center. This video provided an overview of what happens when incidents are created and how to view their details and manage them from the administration console.

You will find the PowerShell scripts used to generate the device incidents here – https://github.com/directorcia/office365