Apr 14 2019 02:14 AM - edited Apr 15 2019 02:05 PM
Apr 14 2019 02:14 AM - edited Apr 15 2019 02:05 PM
Native support for the discovery of Shadow IT
One-click integration of Microsoft Cloud App Security with MDATP
At RSA, RSA is the world’s largest cybersecurity conference, we announced the general availability for Microsoft Defender ATP’s integration with Microsoft Cloud App Security – delivering a native integration to discover the cloud apps used in your organization. This is the first step towards enabling a seamless, zero deployment, native cloud app security solution that works any time any-where. Read below to learn why we do it, how to enable it with a single click, what the new value and experience are and how we’re going to continue to enhance these capabilities in the future.
Even if you are already using Microsoft Cloud App Security to monitor Shadow IT, the new integration provides additional value to the Discovery data.
The short answer is “you get more for less”. 4 main advantages:
As a native OS component, we strive to continuously add value for customers via the
Windows 10 1903 or later; 1809 (KB 4482887); 1803 (KB 4489894); 1709 (KB 4489890)
If you have Microsoft Cloud App Security up and running in the same tenant as MDATP it’s down to a single click:
And you’re done. Microsoft Defender ATP will start sending the relevant log data to Microsoft Cloud App Security.
If you’re not using Microsoft Cloud App Security yet, start a trial to test this integration.
Image 1: 1-click enablement
Note! After enabling the integration, it takes some time for the data collection to kick off and for data transit and processing to start. It will take few minutes for the connected endpoints to start collecting and sending the desired telemetry and then up to 4 hours to process the first batches and build the report.
Once you’ve enabled the integration, navigate to the Cloud Discovery dashboard from the navigation pane in the Microsoft Cloud App Security portal. Once you select the Win10 endpoint users report from the list of continuous reports, a new “Machines” tab is added to the dashboard.
Image 2: Cloud Discovery – Discovered apps view
With the Discovery capabilities in Microsoft Cloud App Security you get new insights into the existing cloud use in your organization and tools to evaluate risks and start governing existing Shadow IT. Image 1 depicts the typical lifecycle of managing the discovered apps in your organization.
Image 3: Shadow IT management lifecycle
By integrating with Microsoft Defender ATP, an additional Machines tab is added to dashboard. This provides all the information on a machine-basis, rather than on a user-basis. This allows you to analyze the findings on a machine basis to get granular insights into the apps accessed from specific machines. In addition, all the data now also includes information of cloud apps that were accessed outside of the corporate network.
Image 4: Machine-based investigation in MCAS portal
If you find anything suspicious, such as a user having uploaded unusually high amounts of data to a risky app, you may want to continue your investigation in Microsoft Defender ATP and ensure that the machine is not compromised. A single click (on the up-right Microsoft Defender ATP link) will shift to the verbose machine page of MDATP. There, in the machine timeline, you can investigate the root cause down to the process level and if needed even to the ancestor processes, download origins etc.
This native integration is another step towards creating a set of comprehensive, natively integrated security solutions across Microsoft 365. Building this endpoint-based CASB scenario to play together in a seamless experience is a strategic decision to simplify your security and compliance processes.
Based on your feedback during our public preview, we back ported this capability set to Windows 10 1709 to make it more broadly applicable. Update your clients to have it. The updated clients will then also be able to feed telemetry to Microsoft Cloud App Security.
In addition, we will continue to enhance the existing integration with additional capabilities:
Get started with a Microsoft Cloud App Security trial today
Check out this e-book to learn more about the integration between Microsoft Defender ATP and Microsoft Cloud App Security
Learn more about Microsoft Cloud App Security.
Technical documentation to get started.
Microsoft Cloud App Security licensing information.
As always, we’d love to hear your feedback. Please share your thoughts and feature suggestions!
Microsoft Defender ATP & Microsoft Cloud App Security Teams
Apr 14 2019 01:29 PM
@Dan Michelson Was support recently extended for older Win 10 versions? Previously only 1809 was supported for this. It would be great if that's the case :)
One minor point of the integration to me is that previously CASB data was all obfuscated and required a privacy officer to approve de-obfuscation of username/machine name, but right now it is just a single click to the defender portal link to get all that data from there without any approval. It can be solved by strong segregation of duties, but I think this might require some extra approval step to get to the defender portal.
Apr 14 2019 05:24 PM
Apr 15 2019 08:18 AM
Hi @Dan Michelson, Thanks for your post. We love MDATP & CASI! We have been using it for almost 2 months now.
However, last week, the Discovery Dashboard disappeared. It looks like the windows 10 endpoints are still reporting the data as we can see it in the alerts but the "continues upload" area is no longer available. As a troubleshooting step, we disabled the integration with MDATP for a day and then enabled it back 4 days ago but we are still unable to see the discovery dashboard. Any ideas?
Thanks in advance for your help!
Jun 03 2020 11:43 PM
Hi @Dan Michelson . Is MDATP integration with MCAS still not supported with proxies?
"If the endpoint device is behind a forward proxy, traffic data will not be visible to Microsoft Defender ATP and hence will not be included in Cloud Discovery reports"
We have MDATP deployed, network protection in audit mode endabled, MCAS integration enabled. We don't see any traffic to some known cloud apps this way. Though the apps do appear in MDATP Advanced Hunting they don't make it to MCAS.
In parallel we have some proxy log forwarding. The apps that MDATP doesn't forward to MCAS appear via MCAS log collector. The integration seems unreliable when theres proxies. The data is in MDATP but it's not forwared to MCAS correctly.