In this series, I’ll be covering the Microsoft Secure Score improvement actions. Although Microsoft does a great job on telling you what to do, some actions have a much bigger impact and need to be balanced against business needs. Some actions might not even have value for your organization. In the end, Microsoft Secure Score is meant to strengthen your security, not a contest to reach the highest score possible. In this series, I’ll pick out random actions and try to make it as simple as possible, backed with notes from the field.
Articles in this series can be read separately since they are written at random order. The articles vary in case of impact and complexity and cover multiple categories. Here is a list of all the articles in this series:
01 – What is Microsoft Secure Score?
02 – Require MFA for administrative roles
03 – Enable Password Hash Sync if hybrid
04 – Ensure all users can complete multi-factor authentication for secure access
05 – Enable self-service password reset
06 – Enable policy to block legacy authentication
07 – Turn on sign-in risk policy
08 – Use Cloud App Security to detect anomalous behavior
09 – Do not allow users to grant consent to unmanaged applications
10 – Discover trends in shadow IT application usage
12 – Turn on customer lockbox feature
13 – Set automated notifications for new and trending cloud applications in your organization
14 – Designate more than one global admin
Set automated notifications for new and trending cloud applications in your organization
With Cloud Discovery policies, you can set alerts that notify you when new apps are detected within your organization.
And again, we’re back at Cloud App Security. Earlier I showed how MCAS can help you to discover shadow IT in your organization by ingesting your firewall and proxy log files. Today, we take a look at the app discovery policies that are available. If you are new to Cloud App Discovery, I suggest you read my previous blog first.
What are App discovery policies?
App discovery policies can detect any new app that is being used by your users. It can also detect anomalies. There are a lot of templates available to get you started, but you can build your policy from scratch.
I’ve selected some random templates that you can pick from to give you an idea:
- Alert on any new app
- Alert on a new CRM or HR application
- Alert on a risky app
- Alert on a new online meeting app
- Alert on a popular app
Let’s say that a company implemented Microsoft Teams for online meetings. At some point, the users start using Zoom instead, because they like some of the features better. (what can I say?) Using app discovery alerts, the company becomes aware of this behaviour and can take the right steps to remediate this.
Create an app discovery policy
Head over to your Cloud App Security Portal and create a new policy. Pick the App discovery policy.
You can select one of the templates, or select no template to build your own policy. In this example, I’ll pick New high upload volume app.
Select Apply template to load the pre-configured settings. If you are using an existing policy, all values will be replaced with the template.
- 1. You can adjust the name of the policy to make it easy to recognize.
- 2. Select the policy severity
- 3. If needed, add some description to clarify the purpose of the policy
- 4. You can add additional specifications, for example to only alert on cloud storage apps.
- 5. Select the report that the policy applies to. In this example, were are selecting the continuous reports that we created in the previous blog.
- 6. You can adjust the amount of data that will trigger the alert. You could also create extra conditions such as the number of IP addresses, machines, or users.
Once you specified the parameters, you can configure the alert action. You can kick off a Power Automate playbook or send an alert by email or text message.
Additionally, you can take governance actions. You can tag the application to trigger other polices within Cloud App Security, for example. You can create custom tags in the Settings pane.
Cloud Discovery anomaly detection policy
You can also detect anomalies in the usage of cloud apps. This way you are able to configure alerts when the usage increases extremely compared to the regular baseline.
Add a new policy, and pick the Cloud Discovery anomaly detection policy. Again, you can pick a template to get you started or create your own policy.
Optional, define the scope of the alerts, by selecting specific apps, app categories, or risk score for example.
You can pick from all the continuous reports and select either or both Users and IP addresses. Also, you can ignore alerts before a specific date and adjust the sensitivity of the alerts. You can pick from 1-5 alerts per 1000 users or IP addresses. The alerts are triggered for the activities with the highest risk.
Wrap up
Cloud App Security is a great tool to stay on top of your applications and also discover trends among your users. Besides discovering shadow IT, MCAS is capable of a lot more. Please also read my other MCAS related blogs to learn about the other capabilities or stay tuned to feature blogs on this topic.
For more information about App discovery and alerts, reach out to the following documentation:
- https://docs.microsoft.com/en-us/cloud-app-security/cloud-discovery-policies
- https://docs.microsoft.com/en-us/cloud-app-security/cloud-discovery-anomaly-detection-policy
If you have any questions, please drop your comment below.
Stay safe!