SOLVED

Shadow IT Discovery-time taken for MDATP endpoint to use an app for the first time before block

%3CLINGO-SUB%20id%3D%22lingo-sub-1049340%22%20slang%3D%22en-US%22%3EShadow%20IT%20Discovery-time%20taken%20for%20MDATP%20endpoint%20to%20use%20an%20app%20for%20the%20first%20time%20before%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1049340%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20at%20using%20the%20new%20functionality%20in%20MD%20ATP%20to%20block%20unsanctioned%20apps%20on%20Win10%20endpoints%20and%20have%20a%20question.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20have%20a%20policy%20setup%20that%20apply's%20to%20%22all%20continuous%20reports%22%20and%20is%20set%20to%20tag%20any%20newly%20discovered%20app%20with%20a%20risk%20score%20of%203%20or%20less%20as%20unsanctioned%2C%20how%20long%20does%20it%20take%20for%20the%20app%20to%20appear%20in%20the%20discovered%20list%20(assuming%20a%20user%20accesses%20it%20on%20a%20Win10%20endpoint%20with%20MDATP%20enabled)%20and%20be%20blocked%20on%20other%20Win10%20MDATP%20user%20endpoints%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20there%20will%20be%20a%20lot%20of%20factors%20that%20influence%20the%20*actual*%20time%20taken%20but%20I%20am%20looking%20to%20understand%20the%20timings%20%2F%20variables%20involved%20to%20get%20to%20a%20point%20where%20I%20can%20understand%20the%20theoretical%20maximum%20time%20taken%20from%20User%20A%20accessing%20the%20app%2C%20to%20User%20A%20(and%20subsequently%20B%2C%20C%20and%20D%20etc)%20being%20blocked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1049340%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1055878%22%20slang%3D%22en-US%22%3ERe%3A%20Shadow%20IT%20Discovery-time%20taken%20for%20MDATP%20endpoint%20to%20use%20an%20app%20for%20the%20first%20time%20before%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1055878%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Paul%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20timing%20depends%20on%202%20variables%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ETime%20from%20app%20tagging%20in%20MCAS%20until%20it%20is%20being%20sent%20to%20MDATP%20(~15%20minutes%20today)%3C%2FLI%3E%0A%3CLI%3ETime%20for%20MDATP%20to%20propagate%20this%20to%20the%20endpoint%20(up%20to%202%20hours)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThe%20sum%20of%20these%20two%20(2%3A15%20hrs)%20is%20the%20upper%20bound%20for%20the%20unsanctioning%20operation%20to%20take%20action%20on%20the%20endpoint.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1056032%22%20slang%3D%22en-US%22%3ERe%3A%20Shadow%20IT%20Discovery-time%20taken%20for%20MDATP%20endpoint%20to%20use%20an%20app%20for%20the%20first%20time%20before%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1056032%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112613%22%20target%3D%22_blank%22%3E%40Danny%20Kadyshevitch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20just%20what%20I%20needed!%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

I am looking at using the new functionality in MD ATP to block unsanctioned apps on Win10 endpoints and have a question.

 

If I have a policy setup that apply's to "all continuous reports" and is set to tag any newly discovered app with a risk score of 3 or less as unsanctioned, how long does it take for the app to appear in the discovered list (assuming a user accesses it on a Win10 endpoint with MDATP enabled) and be blocked on other Win10 MDATP user endpoints?

 

I know there will be a lot of factors that influence the *actual* time taken but I am looking to understand the timings / variables involved to get to a point where I can understand the theoretical maximum time taken from User A accessing the app, to User A (and subsequently B, C and D etc) being blocked.

 

Thanks

 

Paul

2 Replies
best response confirmed by PJR_CDF (Contributor)
Solution

Hi Paul,

 

This timing depends on 2 variables:

  1. Time from app tagging in MCAS until it is being sent to MDATP (~15 minutes today)
  2. Time for MDATP to propagate this to the endpoint (up to 2 hours)

The sum of these two (2:15 hrs) is the upper bound for the unsanctioning operation to take action on the endpoint.

 

Thanks,

Danny.