Home
Microsoft

Native support for the discovery of Shadow IT

One-click integration of Microsoft Cloud App Security with Microsoft Defender ATP

Overview

At RSA, RSA is the world’s largest cybersecurity conference, we announced the general availability for Microsoft Defender ATP’s integration with Microsoft Cloud App Security – delivering a native integration to discover the cloud apps used in your organization. This is the first step towards enabling a seamless, zero deployment, native cloud app security solution that works any time any-where. Read below to learn why we do it, how to enable it with a single click, what the new value and experience are and how we’re going to continue to enhance these capabilities in the future.

 

Even if you are already using Microsoft Cloud App Security to monitor Shadow IT, the new integration provides additional value to the Discovery data.

 

 

 

 

Key Benefits

The short answer is “you get more for less”. 4 main advantages:

  • Agent-less cloud app discovery
  • Discovery beyond the corporate network
  • Machine-based investigation
  • Single-click enablement

As a native OS component, we strive to continuously add value for customers via the

Supported operating systems

Windows 10 1903 or later; 1809 (KB 4482887); 1803 (KB 4489894); 1709 (KB 4489890)

Enabling the new integration

If you have Microsoft Cloud App Security up and running in the same tenant as MDATP it’s down to a single click:

  1. Go to the Advanced Settings in the Windows Defender Security Center and enable the Microsoft Cloud App Security integration

And you’re done. Microsoft Defender ATP will start sending the relevant log data to Microsoft Cloud App Security.

If you’re not using Microsoft Cloud App Security yet, start a trial to test this integration.

MCAS enable.png

Image 1: 1-click enablement

Note! After enabling the integration, it takes some time for the data collection to kick off and for data transit and processing to start. It will take few minutes for the connected endpoints to start collecting and sending the desired telemetry and then up to 4 hours to process the first batches and build the report.

Deep insights into your organization’s cloud app usage

Once you’ve enabled the integration, navigate to the Cloud Discovery dashboard from the navigation pane in the Microsoft Cloud App Security portal. Once you select the Win10 endpoint users report from the list of continuous reports, a new “Machines” tab is added to the dashboard.MCAS discovery.png

Image 2: Cloud Discovery – Discovered apps view

Typical use cases

Discovery

With the Discovery capabilities in Microsoft Cloud App Security you get new insights into the existing cloud use in your organization and tools to evaluate risks and start governing existing Shadow IT. Image 1 depicts the typical lifecycle of managing the discovered apps in your organization.

MCAS Management.png

Image 3: Shadow IT management lifecycle

The new machine view

By integrating with Microsoft Defender ATP, an additional Machines tab is added to dashboard. This provides all the information on a machine-basis, rather than on a user-basis. This allows you to analyze the findings on a machine basis to get granular insights into the apps accessed from specific machines. In addition, all the data now also includes information of cloud apps that were accessed outside of the corporate network.MCAS Machine view.png

Image 4: Machine-based investigation in MCAS portal

 

Continue your investigation in Microsoft Defender ATP

If you find anything suspicious, such as a user having uploaded unusually high amounts of data to a risky app, you may want to continue your investigation in Microsoft Defender ATP and ensure that the machine is not compromised. A single click (on the up-right Microsoft Defender ATP link) will shift to the verbose machine page of MDATP. There, in the machine timeline, you can investigate the root cause down to the process level and if needed even to the ancestor processes, download origins etc.

 

What’s next

This native integration is another step towards creating a set of comprehensive, natively integrated security solutions across Microsoft 365. Building this endpoint-based CASB scenario to play together in a seamless experience is a strategic decision to simplify your security and compliance processes.

Based on your feedback during our public preview, we back ported this capability set to Windows 10 1709 to make it more broadly applicable. Update your clients to have it. The updated clients will then also be able to feed telemetry to Microsoft Cloud App Security.  

In addition, we will continue to enhance the existing integration with additional capabilities:

  • Seamless enforcement of Microsoft Cloud App Security policies, such as the blocking of unsanctioned cloud apps
  • Enforcement statistics of policies sent from Microsoft Cloud App Security to the Microsoft Defender ATP agent
  • Support for non-Windows endpoints

More resources and feedback

Get started with a Microsoft Cloud App Security trial today

Check out this e-book to learn more about the integration between Microsoft Defender ATP and Microsoft Cloud App Security

Learn more about Microsoft Cloud App Security.

Technical documentation to get started.

Microsoft Cloud App Security licensing information.

As always, we’d love to hear your feedback. Please share your thoughts and feature suggestions!

 

Microsoft Defender ATP & Microsoft Cloud App Security Teams