Limit amount of cloud traffic log Defender for endpoint sends

Brass Contributor

Is there a way to limit the amount of cloud traffic sent from Defender from Endpoint? What I meant is, can I limit the endpoints, or is ALL traffic sent as soon I pull the trigger?

 

This is to judge about the impact of our SOC people who will get all that event loaded into their dashboard

3 Replies
I guess the answer is; when you pull the switch, all traffic is shared with MDCA, based on the following:

* Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.
* Works out of the box, no configuration required - Forwarding cloud traffic logs to Defender for Cloud Apps requires firewall and proxy server configuration. With the Defender for Endpoint and Defender for Cloud Apps integration, there's no configuration required. Just switch it on in Microsoft 365 Defender settings and you're good to go.
* Device context - Cloud traffic logs lack device context. Defender for Endpoint network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it.
Found at: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-cloud-app-secur...

Hi @RVC,

 

Your correct here, once turned on all data will get send to Defender for Cloud Apps for Shadow IT analysis.  

@Keith_Fleming thanks for your confirmation. 

 

What does this mean for licensing requirements? Not all our users will get an E5 license, while Defender is rolled out on every endpoint? Or will the traffic only be shared if the endpoint has the Microsoft Defender for Endpoint Plan 2 license assigned?