Forum Discussion

Dan Michelson's avatar
Dan Michelson
Icon for Microsoft rankMicrosoft
Apr 14, 2019

MDATP & Cloud App Security Integration

Native support for the discovery of Shadow IT

One-click integration of Microsoft Cloud App Security with MDATP

Overview

At RSA, RSA is the world’s largest cybersecurity conference, we announced the general availability for Microsoft Defender ATP’s integration with Microsoft Cloud App Security – delivering a native integration to discover the cloud apps used in your organization. This is the first step towards enabling a seamless, zero deployment, native cloud app security solution that works any time any-where. Read below to learn why we do it, how to enable it with a single click, what the new value and experience are and how we’re going to continue to enhance these capabilities in the future.

 

Even if you are already using Microsoft Cloud App Security to monitor Shadow IT, the new integration provides additional value to the Discovery data.

 

Key Benefits

The short answer is “you get more for less”. 4 main advantages:

  • Agent-less cloud app discovery
  • Discovery beyond the corporate network
  • Machine-based investigation
  • Single-click enablement

As a native OS component, we strive to continuously add value for customers via the

Supported operating systems

Windows 10 1903 or later; 1809 (KB 4482887); 1803 (KB 4489894); 1709 (KB 4489890)

Enabling the new integration

If you have Microsoft Cloud App Security up and running in the same tenant as MDATP it’s down to a single click:

  1. Go to the Advanced Settings in the Windows Defender Security Center and enable the Microsoft Cloud App Security integration

And you’re done. Microsoft Defender ATP will start sending the relevant log data to Microsoft Cloud App Security.

If you’re not using Microsoft Cloud App Security yet, start a trial to test this integration.

Image 1: 1-click enablement

 

Note! After enabling the integration, it takes some time for the data collection to kick off and for data transit and processing to start. It will take few minutes for the connected endpoints to start collecting and sending the desired telemetry and then up to 4 hours to process the first batches and build the report.

Deep insights into your organization’s cloud app usage

Once you’ve enabled the integration, navigate to the Cloud Discovery dashboard from the navigation pane in the Microsoft Cloud App Security portal. Once you select the Win10 endpoint users report from the list of continuous reports, a new “Machines” tab is added to the dashboard.

Image 2: Cloud Discovery – Discovered apps view

Typical use cases

Discovery

With the Discovery capabilities in Microsoft Cloud App Security you get new insights into the existing cloud use in your organization and tools to evaluate risks and start governing existing Shadow IT. Image 1 depicts the typical lifecycle of managing the discovered apps in your organization.

Image 3: Shadow IT management lifecycle

The new machine view

By integrating with Microsoft Defender ATP, an additional Machines tab is added to dashboard. This provides all the information on a machine-basis, rather than on a user-basis. This allows you to analyze the findings on a machine basis to get granular insights into the apps accessed from specific machines. In addition, all the data now also includes information of cloud apps that were accessed outside of the corporate network.

Image 4: Machine-based investigation in MCAS portal

 

Continue your investigation in Microsoft Defender ATP

If you find anything suspicious, such as a user having uploaded unusually high amounts of data to a risky app, you may want to continue your investigation in Microsoft Defender ATP and ensure that the machine is not compromised. A single click (on the up-right Microsoft Defender ATP link) will shift to the verbose machine page of MDATP. There, in the machine timeline, you can investigate the root cause down to the process level and if needed even to the ancestor processes, download origins etc.

 

 

What’s next

This native integration is another step towards creating a set of comprehensive, natively integrated security solutions across Microsoft 365. Building this endpoint-based CASB scenario to play together in a seamless experience is a strategic decision to simplify your security and compliance processes.

Based on your feedback during our public preview, we back ported this capability set to Windows 10 1709 to make it more broadly applicable. Update your clients to have it. The updated clients will then also be able to feed telemetry to Microsoft Cloud App Security.  

In addition, we will continue to enhance the existing integration with additional capabilities:

  • Seamless enforcement of Microsoft Cloud App Security policies, such as the blocking of unsanctioned cloud apps
  • Enforcement statistics of policies sent from Microsoft Cloud App Security to the Microsoft Defender ATP agent
  • Support for non-Windows endpoints

More resources and feedback

Get started with a Microsoft Cloud App Security trial today

Check out this e-book to learn more about the integration between Microsoft Defender ATP and Microsoft Cloud App Security

Learn more about Microsoft Cloud App Security.

Technical documentation to get started.

Microsoft Cloud App Security licensing information.

As always, we’d love to hear your feedback. Please share your thoughts and feature suggestions!

 

Microsoft Defender ATP & Microsoft Cloud App Security Teams

 

  • Sentry23's avatar
    Sentry23
    Copper Contributor

    Dan Michelson Was support recently extended for older Win 10 versions? Previously only 1809 was supported for this. It would be great if that's the case :)

     

    One minor point of the integration to me is that previously CASB data was all obfuscated and required a privacy officer to approve de-obfuscation of username/machine name, but right now it is just a single click to the defender portal link to get all that data from there without any approval. It can be solved by strong segregation of duties, but I think this might require some extra approval step to get to the defender portal.

    • Dan Michelson's avatar
      Dan Michelson
      Icon for Microsoft rankMicrosoft
      Yes. It is supported from 1709. Please read the supported OS section in the blog. We detail there the exact KBs. We'd love be to get your feedback.
  • Tsantana's avatar
    Tsantana
    Copper Contributor

    Hi Dan Michelson, Thanks for your post. We love MDATP & CASI! We have been using it for almost 2 months now.

    However, last week, the Discovery Dashboard disappeared. It looks like the windows 10 endpoints are still reporting the data as we can see it in the alerts but the "continues upload" area is no longer available. As a troubleshooting step, we disabled the integration with MDATP for a day and then enabled it back 4 days ago but we are still unable to see the discovery dashboard. Any ideas?

     

    Thanks in advance for your help!

     

  • AlexMags's avatar
    AlexMags
    Copper Contributor

    Hi Dan Michelson . Is MDATP integration with MCAS still not supported with proxies?

    "If the endpoint device is behind a forward proxy, traffic data will not be visible to Microsoft Defender ATP and hence will not be included in Cloud Discovery reports"

    https://docs.microsoft.com/en-us/cloud-app-security/wdatp-integration#how-to-integrate-microsoft-defender-atp-with-cloud-app-security

    We have MDATP deployed, network protection in audit mode endabled, MCAS integration enabled.  We don't see any traffic to some known cloud apps this way. Though the apps do appear in MDATP Advanced Hunting they don't make it to MCAS.

    In parallel we have some proxy log forwarding.  The apps that MDATP doesn't forward to MCAS appear via MCAS log collector. The integration seems unreliable when theres proxies. The data is in MDATP but it's not forwared to MCAS correctly.

Resources