Recording of Cloud App Security Intro Webinar
Thanks to those of you who joined our introductory webinar for Microsoft Cloud App Security. For those who couldn't make it, you can find the recording at https://youtu.be/dUoicG0Hc-o. Also, thanks to Sebastien Molendijk for an informative presentation. If you'd like to ensure you're notified of future calls, please join our community using the instructions at https://aka.ms/SecurityCommunity.
MCAS Regex Engine
Maybe you have a Quick answer. We are currently evaluating DLP Capabilities with MCAS. As we are now implementing Use Cases, we discovered that the Regex Engine from Microsoft is somewhat special. Me and my colleagues understand that this is a mass amount engine and therefore has its limitations regarding the Quantifiers. Now, the Docs are kind of clear but only very less. How does the Regex Engine actually works, what are the limitations? We can investigate every single regex match but how do we validate false positives for a amount of matches? (Probability Score or Reducing the max. Matches per day) Some example use cases from the customer: - Leveraging regex to look for http headers - Look for Cookies (e.g. Look for "Set-Cookie") - Regex hunting base64 encoded jwt id or access tokens or other custom tokens with various file types - pci data (can be covered by MCAS) - aws session token (SessionToken AND base64 encoded data in the vicinity) - MIP labeled documents ( can be covered by MCAS) Hope someone can help
Announcement: Unified suffix domain for proxy
Hi folks, I wanted to share an important and exciting new feature that we are rolling out for Session Controls in Microsoft Cloud App Security, with impact to current users of Session Controls. We are making big improvements to our architecture for our proxy-based session controls, to leverage one unified suffix, without a named region (i.e., for commercial customers, “*.[region].cas.ms” will become “*.mcas.ms”). This change will start to hit customer tenants as early as June 7 th , but will continue to roll out gradually. This is important for several reasons: Customers who blacklist domains by default in their network appliance or gateway will need to ensure they whitelist all the domains listed here: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fnetwork-requirements%23access-and-session-controls&data=02%7C01%7CAlex.Esibov%40microsoft.com%7Ce8bde6704ea94964bc5b08d7fdd32ff9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637256955955371191&sdata=gmaH9FjrazjvU1p4JHuq4CGXsWzzSWA83shXmRy3tpU%3D&reserved=0 Note 1: during initial deployment and roll-out of this feature, customers may transition from the previous, geo-specific domains to the unified suffix domains. Therefore, it’s important to whitelist all domains listed on this page. Note 2: If a customer is whitelisting specific IPs, they must whitelist all IPs currently listed in the network requirements across all listed Data centers. Note 3: Customers should continue to check this page for the latest information on new IP addresses, as we are constantly increasing our region sizes to scale with demand. Our architecture becomes more scalable – one region will serve any DC, meaning when we deploy a new region, it’s automatically available to any customer in MCAS Users will see a new suffix URL when Session Controls are applied, and should be aware of these changes, if the IT/IS admins in the org choose to do so. Users will no longer see DC name in the URL, which has often been confused with the location of the proxy node (which it’s not) Here is a GIF showing the new domain for Commercial customers: Let me know if you have any questions. Thanks, AlexUsing flow Cloud App Security Alert trigger
I have a DLP rule in Offi e 365 that triggers an alert when PCI data is detected. I want t use Flow to send an email to the person who owns the detected file\s, providing them the file name and location (this info is in the alerts when you view them in Cloud App Security) and asking them to remove the PCI data. I setup the API token, a Cloud App Security trigger and then attached a basic email action to my and attached that to the alert as a Flow action just so I know when the DLP picks up PCI it runs the configured alert which then runs the configured Flow and I get the test email. This works perfectly. Next step then is to customize it to the file owner. Here is where I'm having problems. I need to put the file owner email address in the To field and at a minimum the file\s detected in the body. My problem is I cant find any doco that explains what each of the dynamic content options actually are so I don't know which one give me the person and the file\s info. I tried to just add all of them and wait for a triggered event but some I believe are arrays so it adds a "For each" action which I don't want. How can i work out the dynamic content fields I need?File Policies - Requesting a new pre-set expression
Hi Team, I would like to request the addition of a new pre-set expression for content inspection in file policies. It is for New Zealand "Social Welfare Numbers". I have the algorithm which unfortunately cannot be implemented in a REGEX. What is the best way to go about submitting this request? Cheers KevinNew blog post: Protect your data in Box environments with Microsoft Cloud App Security
Last week researchers found dozens of companies had inadvertently exposed sensitive corporate and customer data in their corporate Box accounts, because employees had created public sharing links to files and folders . Check our our latest blog post and find out how you can make sure that your Box envrionment is safe!German Podcast about Microsoft Cloud Technologies
Hey Everyone, whoever can understand German and is interested in Microsoft Cloud Technologies: My Friend Marco Scheel and I (Jan Geisbauer) frequently talk about Office 365, Azure AD and Cloud Security in our (more or less) weekly Podcast "Hairless in the Cloud". You can subscribe to it on one of your favorite platforms: https://anchor.fm/hairlessinthecloud Thanks and have fun listen to it! Your Hairless-Team :-)MCAS private preview: data classification in session policies
We have a new private preview opportunity for Microsoft Cloud App Security (MCAS): https://aka.ms/MCAS-DCS-DLP We've integrated the data classification services (DCS) engine that was previously only available for file policies into session policies, allowing users to utilize one data loss prevention engine across their Microsoft workloads. This is the first real-time use-case for DCS in MCAS, so feedback is critical. Space is limited – we cannot guarantee that all who apply will be accepted.
EIN Regex for DLP
We are trying to create a new policy to detect Employer Identification Number (EIN). I'm very new to Regex so I need some help. We've tried the below regex and MCAS is showing me an error of: Capturing parenthesis not allowed in regular expression. Does anyone know how to convert the below regex to something without the capturing parentheses? Thanks! ([07][1-7]|1[0-6]|2[0-7]|[35][0-9]|[468][0-8]|9[0-589])-?\d{7}
