User Profile
John_Lewis
Former Employee
Joined Feb 05, 2020
User Widgets
Recent Discussions
Re: Atypical travel: no logs in MCAS
LouisMastelinck For Azure AD sign-in activities (Risky sign-in), Cloud App Security only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. This would explain why there are no activities associated with the alert. Non-interactive sign-in activities may be viewed in the Azure AD audit log. You should be able to locate the original alert in AAD’s Risky sign-ins blade. You can filter the detection type: Atypical travel and include a filter for the user which triggered the alert. AAD can then provide you with additional information in the basic and risk info details.Re: Questions on Controlling and monitoring Microsoft Teams workloads.
Hi Newlife, thank you for the questions. Please see my responses below: Alert for adding GA or adding users to a security role Yes, these activity types are supported “Add member to group/role”. In addition, with integrations with Azure ATP, we can detect suspicious additions to sensitive groups. Custom sensitive groups can be defined by admins. https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-domain-dominance-alerts#suspicious-additions-to-sensitive-groups-external-id-2024 Another approach is to customize your filter to include the “Acitvity objects” “Activity object ID” equals the AAD group objectID from Azure AD. This can easily be added to any filter within the Activity Log by navigating to the activity and clicking the “Activity Objects”. Within those objects, there are icons to include the objects in the filter. Alert for Adding external guests to Teams sites We have MS Teams specific templates that will detect this activity. See below: Access level change (Teams): Alerts when a team's access level is changed from private to public. External user added (Teams): Alerts when an external user is added to a team. Mass deletion (Teams): Alerts when a user deletes a large number of teams. Alert for adding user for specific group (Like domain admin) Same as #1 Are live monitoring control only application based “web access” or include desktop client such as “desktop Teams, desktop outlook app”? Conditional Access App Control can monitor and control the session in real time for web-based applications. We have access control policies which can be used to block the desktop and mobile clients. https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls When will the enforcement occur following a monitoring alert? How much time? (without reverse proxy) When using Conditional Access App Control, session controls are in real time. If you elect to monitor the session, no controls will be used. This provides an avenue to analyze user behavior to understand under what conditions session policies should be applied in the future. Without CaaC enabled, you can leverage API connected application that perform governance functionality in near real time. https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps They want to create alerts when someone upload or download files in Teams We have activity filters that support upload/download file. Specific alert if there is sensitive information in the file. File policies support DLP functionality. https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policies MCAS to block and protect download of sensitive data to unmanaged or risky devices: Can they do it with OCAS? Only for Office Apps but the license requirements also include Azure AD P1. https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad Can it apply only on web app or include desktop app? Only web-based applications. You would need to use access policies to limit desktop and mobile applications to provide a comprehensive approach to securing those apps. Are all the built-in policies that we can see in the OCAS portal can be applied? Yes Blocking / alert for sharing files based on if the user is external or internal user. That control should be handled with the native tools built into OD4B/Sharepoint https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview Block and alert if the connection to O365 portal and O365 services was from other country then Israel. This can be done with Azure AD Conditional Access Policies. Alerts can be configured in CAS to filter on activity type such as logon and location.3.1KViews3likes0CommentsRe: Dropbox clients
Hi Dean_Gross, If you are referring to how our Conditional Access App Control feature handles desktop and mobile clients, please review the document below and take note of our access policies which provides comprehensive security to your apps. https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls Session controls support web-based apps that leverage single sign-on using SAML2.0 with your IDP. If you are using Azure AD, Open ID Connect authentication is supported as well. If you are referring to how API connected apps like Dropbox are protected with MCAS, please refer to this document https://docs.microsoft.com/en-us/cloud-app-security/protect-dropbox. Thanks!741Views0likes0CommentsRe: MS CASB trial support SAML?
Anant2718 Conditional Access App Control (proxy) feature does support native Azure AD integration leveraging SAML 2.0 and Open ID Connect. Check out the links below: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#supported-apps-and-clients https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy More information on Azure AD federation/SSO and connecting with your IDP can be found at the links below: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso993Views0likes0CommentsRe: What does Activity "SupervisoryReviewOLAudit" in Exchange mean - especially regarding EXTERNAL users
Deleted Supervisory Review is likely referring to https://docs.microsoft.com/en-us/microsoft-365/compliance/supervision-policies?view=o365-worldwide Check your policies in the Microsoft Security Center and Exchange Online. Internal and External users in MCAS are defined via the managed domain configuration located in MCAS Settings > Organization details > Managed domains https://docs.microsoft.com/en-us/cloud-app-security/general-setup#set-up-the-portal15KViews1like0CommentsRe: Corporate IP & Impossible Travel issues
rmoat Hello, Adding your corporate IP’s to the data enrichment section is a great first step to improving the detection. However, you can take a few additional steps to help with this issue. As an example, to reduce the number of false positives within the impossible travel alert, you can set the policy's sensitivity slider to low. Lastly, if you have users in your organization that are frequent corporate travelers, you can add them to a user group and select that group in the scope of the policy to exclude. More information can be found here and here6.1KViews0likes0CommentsRe: Governance Log Showing "Failed Internal Error" for anyone else?
AL_IPSD Hi AL_IPSD, Please validate the configured data source matches your firewall/proxy. I would also recommend you restart the log collector/docker container to see if that resolves the issue. If all else fails, please open a support ticket to have this investigated further.1.2KViews0likes1CommentRe: MCAS - block copy/paste and printing
ACDS- Hi ACDS, At this time Conditional Access App Control session policies cannot limit to individual SharePoint sites. However, we do have an active private preview regarding this feature. If you are interested, please email mcaspreview@microsoft.com.8.2KViews0likes0CommentsRe: MCAS - High Severity Alert - "BUL-OauthAppPermissions-MicrosoftAccounts"
PJR_CDF Hi PJR_CDF, The policy BUL-OauthAppPermissions-MicrosoftAccounts is not a built-in OAuth detection policy. You can find the built-in OAuth policies by navigating to “Policies” and filtering on type “OAuth app anomaly detection policy”. In addition, setting the policy filter to show “OAuth app policy” will reveal custom policies created by administrators. Using the cogwheel to edit the policy will reveal the criteria for triggering the alert and adjustments can be made. Also, accessing the “Actions” on the policy page will allow you to disable the policy.1.1KViews1like0CommentsRe: Blocking download files with sensitive data from desktop client Apps on non-domain joined systems
VKantamneni Hi Venkat, It is recommended that you block mobile and native clients by using an access policy. You can customize the block message to inform the user to either access the application on a domain joined/managed machine or navigate to the web-based application. Forcing users to access the app via the web-based application will allow you to apply session controls and prevent the download of sensitive information to an unmanaged device. Please note, if the mobile or client app is using an embedded web frame, session policies will still apply to that application. If you still want to allow thick clients to access that data, you should consider applying protection on it as we can’t apply control on unmanaged devices. More information can be found here: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls4.5KViews0likes0Comments
Recent Blog Articles
Securing Administrative Access to Microsoft Cloud App Security and Defender for Identities
Security administrators often focus on best practices for securing their company’s users, apps, services, and devices. It can be easy to forget that Security Administrators are also “users”. Protecti...8.1KViews6likes2Comments
