Microsoft Defender for Cloud Apps experiences are now part of Microsoft 365 Defender

Published Jun 23 2022 01:31 PM 2,844 Views

We’re excited to announce that the Microsoft Defender for Cloud Apps SecOps experiences are now available as part of Microsoft 365 Defender in public preview. Natively integrating the Defender for Cloud Apps experience within Microsoft 365 Defender streamlines the process of investigating and mitigating threats to your users, apps, and data - enabling you to review many alerts and incidents from a single pane of glass for more efficient investigation.

Now let’s look at the scenarios and Defender for Cloud Apps pages included in the Microsoft 365 Defender portal as part of the public preview.

 

Unified SOC experience

 

Unified Alerts Page

The unified alerts page intertwines Defender for Cloud Apps with the Microsoft 365 Defender incident . The deep integration of the alert page reduces the need to pivot between portals when diving into an alert. The structure of the alerts pages themselves is planned to remain similar to what's in Microsoft Defender for Cloud Apps, including the alert story and additional cross workloads information and reference to the related activities from the activity log where the data is available.

The first component displays linked entities such as IP address, the app – including app discovery, the account, the OAuth application and the file. Additionally, detection feedback and alert management are in the new unified view and provide an important part of Microsoft Defender for Cloud Apps logic.

In this example, an alert for an impossible travel incident is shown within Microsoft 365 Defender. Expanding the alert shows the severity, the investigative state, the category the alert falls under, the impacted assets, and more.

 

Image1: Integrated incident viewImage1: Integrated incident view

Security analysts can drill down deeper into the incident from within Microsoft 365 Defender.

In this example, we emulated an attack scenario where the adversary is:

  1. Using the TOR browser to hide their IP address.
  2. Connecting with a password, that he had may gotten from the dark net, and compromising Aldo’s account.
  3. Sending phishing emails.
  4. Manipulating an inbox rule to automatically hide replies to his mail.
  5. Delete multiple mails to hide his sent emails.
  6. Turning on anonymous access to the inbox to allow him to connect to this mailbox even if the password changes.

In response to this scenario, an incident was created within Microsoft 365 Defender, correlating alerts generated from Microsoft Defender for Cloud Apps, with alerts generated from Azure Active Directory Identity Protection and Microsoft 365 Defender. Expanding the alert shows the severity, the investigative state, the category the alert falls under, the impacted assets, and more.

 

Image 2: Incident overviewImage 2: Incident overview

 

Yulia_Zhurbinsky_2-1656008267659.png

 

Clicking on one of the alerts will open the alert page, and show the alert page, including the involved entities, the alert’s story, and as we can see in the next example of the “Suspicious inbox manipulation rule” alert, other contextual information and activities related to this alert:

Image 4: Alert viewImage 4: Alert view

 

We’re also excited to announce that together with the Defender for Cloud Apps experience in the Microsoft 365 Defender portal, we’ve started to present the file hashes as part of the “Malware detection” alert, and it will now include also hashes for malware detected in SharePoint/OneDrive as well as for malware detected in non-Microsoft storage apps that were supported until now.

Malware detected by Defender for Cloud Apps will also present the VirusTotal detections ratio, and prevalence of the same malware on devices in the tenant:

 

Image 5: Malware detection alertImage 5: Malware detection alert

 

Unified Alerts Queue with Advanced Filters

Security analysts have access to a unified queue that shows Defender for Cloud Apps alerts within the Microsoft 365 Defender queue. The view can be customized using a flyout menu that provides a variety of filters, enabling you to identify and focus on the tasks you’re prioritizing.

 

Image 6: Alert filtersImage 6: Alert filters

 

Activity log

The activity log page that you currently access using the Defender for Cloud Apps portal is available in the Microsoft 365 Defender and provides a similar user experience. It allows pivoting to the entities in the Microsoft 365 Defender portal, such as the user page. Related security investigations for your cloud apps can now be completed using one dashboard.

 

Image 7: Activity logImage 7: Activity log

 

Advanced hunting includes Microsoft Defender for Cloud Apps data

 

Identities

The assets section in Microsoft 365 Defender creates the cross-asset story in both posture and XDR experiences, consolidates the different inventory capabilities of the defender products, converging into the Microsoft 365 Defender portal, allowing customers a unified place to view all their discovered assets.

The new “Identities” assets section, previously known as “Users and accounts” in the Microsoft Defender for Cloud Apps portal, consolidates all discovered identities across Active directory, Azure Active Directory, and 3rd party applications, connected to Microsoft Defender for Cloud Apps, allowing security teams both a browsing experience and security value such as sorting identities by risk factors.

 

Image 8: Identities viewImage 8: Identities view

 

Summary and next steps

 

The SecOps user experience for Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and provides security teams a central experience for discovery, investigation, mitigation, and handling of incidents. App data will now also be correlated with insights from other workloads such as endpoints, mail, or identity if the relevant products are deployed in your environment to enable a centralized XDR experience. 

The same functionality will co-exist in the Microsoft Defender for Cloud Apps standalone portal. The two portals are both available to you. You can continue to use the Microsoft Defender for Cloud Apps portal to shadow IT discovery, information protection, manage policies and settings configurations. We plan to converge these capabilities in Microsoft 365 Defender to enable a unified admin experience soon.

Get started today with the unified SecOps experience in Microsoft 365 Defender.

Check out our documentation to learn more about the Microsoft Defender for Cloud Apps user experiences available within the Microsoft 365 Defender portal.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2 Comments
Co-Authors
Version history
Last update:
‎Jun 23 2022 01:31 PM
Updated by: