Discovered app Security Breach query

%3CLINGO-SUB%20id%3D%22lingo-sub-899818%22%20slang%3D%22en-US%22%3EDiscovered%20app%20Security%20Breach%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-899818%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20understand%20the%20CAS%20Dashboard%20alerts%20and%20need%20a%20bit%20of%20guidance%20and%20understanding%2C%20please%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fflushed_40x40.gif%22%20alt%3D%22%3Aflushed%3A%22%20title%3D%22%3Aflushed%3A%22%20%2F%3E%3C%2FP%3E%3CP%3EI%20see%20an%20alert%20for%20%22Discovered%20app%20security%20breach%22%20for%20Premera%20Blue%20Cross.(See%20Fig%201%20attached)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20click%20on%20the%20app%20and%20it%20shows%20I%20have%202%20active%20users%2C%206%20transactions.%20but%20no%20alerts!%26nbsp%3B%20(See%20Fig%202%20and%203%20attached)%3C%2FP%3E%3CP%3EThe%202%20%22active%22%20users%20it%20claims%20accessed%20this%20app%20are%20actually%202%20of%20our%20IT%20Team%20browsing%20the%20relevant%20url%20related%20to%20the%20breached%20app%20to%20determine%20what's%20on%20the%20website.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20confused%20why%20they%20would%20be%20listed%20as%20active%20users%2C%20if%20we%20have%20no%20alerts%20and%20they%20don't%20have%20any%20apps%20installed%20related%20to%20%22Premera%20Blue%20Cross%22.%20Confused.com!%20Any%20pointers%20would%20be%20very%20much%20appreciated%26nbsp%3B%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-899818%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-906495%22%20slang%3D%22en-US%22%3ERe%3A%20Discovered%20app%20Security%20Breach%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-906495%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46448%22%20target%3D%22_blank%22%3E%40Christo%20De%20Lange%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat's%20a%20built-in%20alert%20in%20the%20product%20when%20we%20know%20there%20is%20a%20public%20breach%20with%20a%20specific%20application.%20Since%20there%20are%20users%20in%20your%20network%20who've%20accessed%20this%20application%20based%20on%20your%20traffic%20logs%20-%20we're%20letting%20you%20know%20that%20there%20is%20breach%20associated%20with%20this%20application.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20discovery%20dashboard%20is%20based%20on%20your%20traffic%20logs%20which%20we%20parse%20and%20create%20the%20dashboard%20with.%20Please%20let%20me%20know%20if%20this%20answers%20your%20question.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916724%22%20slang%3D%22en-US%22%3ERe%3A%20Discovered%20app%20Security%20Breach%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916724%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Banu%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F177014%22%20target%3D%22_blank%22%3E%40Banu%20Jafarli%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%20so%20much%20for%20your%20reply.%20Ok%20I%20understand%20the%20built-in%20alert%20for%20breached%20apps(Kudos!)%2C%20I%20also%20understand%20traffic%20logs%20would%20advise%20that%20there%20was%20traffic%20between%202%20of%20our%20computer%20clients%20and%20a%20URL%20associated%20with%20a%20breached%20app%2C%20however%2C%20the%202%20users%20do%20not%20have%20the%20associated%20app%20installed%20or%20use%20it%2C%20they%20simply%20browsed%20to%20a%20website%20to%20investigate%20the%20URL.%3CBR%20%2F%3E%3CBR%20%2F%3EWhich%20then%20looks%20to%20me%20like%20a%20false%20alert.%20No%20breached%20app%20was%20actually%20in%20use.%20So%20my%20understanding%20now%20is%20the%20dashboard%20alert%20is%20based%20on%20traffic%20logs%20between%20two%20points(One%20being%20host%20to%20a%20breached%20app)%20rather%20than%20traffic%20between%20a%20specific%20%22breached%22%20application%20and%20our%20clients.%20Hope%20this%20makes%20sense%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All

 

I am trying to understand the CAS Dashboard alerts and need a bit of guidance and understanding, please :flushed:

I see an alert for "Discovered app security breach" for Premera Blue Cross.(See Fig 1 attached)

 

I click on the app and it shows I have 2 active users, 6 transactions. but no alerts!  (See Fig 2 and 3 attached)

The 2 "active" users it claims accessed this app are actually 2 of our IT Team browsing the relevant url related to the breached app to determine what's on the website. 

 

I am confused why they would be listed as active users, if we have no alerts and they don't have any apps installed related to "Premera Blue Cross". Confused.com! Any pointers would be very much appreciated  :cool: 

 

Thanks in advance

 
2 Replies
Highlighted

@Christo De Lange 

 

That's a built-in alert in the product when we know there is a public breach with a specific application. Since there are users in your network who've accessed this application based on your traffic logs - we're letting you know that there is breach associated with this application. 

 

The discovery dashboard is based on your traffic logs which we parse and create the dashboard with. Please let me know if this answers your question. 

 

https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

Highlighted

Hi Banu
@Banu Jafarli 


Thanks so much for your reply. Ok I understand the built-in alert for breached apps(Kudos!), I also understand traffic logs would advise that there was traffic between 2 of our computer clients and a URL associated with a breached app, however, the 2 users do not have the associated app installed or use it, they simply browsed to a website to investigate the URL.

Which then looks to me like a false alert. No breached app was actually in use. So my understanding now is the dashboard alert is based on traffic logs between two points(One being host to a breached app) rather than traffic between a specific "breached" application and our clients. Hope this makes sense?