Application Script That Filters Risky Unused Apps on Your Environment.
Hey there everyone. Recently made a script that filters out high risk applications (Risk score <4) that haven't been used in awhile on your environment. An easy win is to block applications that haven't been used in a bit. We have specific application categories we are more interested in than others. Feel free to copy this template, or use others. Oh- you need the MCAS Powershell package installed too. Here is the download link:https://github.com/microsoft/MCAS/ #defining variables $count = 0 #Count variable used for determining the number of apps left $obj = @() #Array where the apps will be added to do { $applist = Get-MCASDiscoveredApp -Skip $count $count += $applist.count ## applies the list count to the specific count itself. foreach($app in $applist){ ##for each application inside the list of 100 if(($app.category -eq "SAASDB_CATEGORY_SOCIALNETWORK") -or ($app.category -eq "SAASDB_CATEGORY_NEWS_AND_ENTERTAINMENT") -or ($app.category -eq "SAASDB_CATEGORY_CLOUD_COMPUTING_PLATFORM") -or ($app.category -eq "SAASDB_CATEGORY_CONTENT_MANAGEMENT") -or ($app.category -eq "SAASDB_CATEGORY_COLLABORATION") -or ($app.category -eq "SAASDB_CATEGORY_HOSTING_SERVICES") -or ($app.category -eq "SAASDB_CATEGORY_IT_SERVICES") -or ($app.category -eq "SAASDB_CATEGORY_MARKETING") -or ($app.category -eq "SAASDB_CATEGORY_IT_SERVICES") -or ($app.category -eq "SAASDB_CATEGORY_WEBMAIL") -or ($app.category -eq "SAASDB_CATEGORY_SECURITY") -or ($app.category -eq "SAASDB_CATEGORY_FORUMS") -or ($app.category -eq "SAASDB_CATEGORY_ONLINE_MEETINGS") -or ($app.category -eq "SAASDB_CATEGORY_COMMUNICATIONS") -or ($app.category -eq "SAASDB_CATEGORY_WEB_ANALYTICS") -or ($app.category -eq "SAASDB_CATEGORY_ADVERTISING") -or ($app.category -eq "SAASDB_CATEGORY_WEBSITE_MONITORING") -or ($app.category -eq "SAASDB_CATEGORY_CONTENT_SHARING") -or ($app.category -eq "SAASDB_CATEGORY_ADVERTISING") -or ($app.category -eq "SAASDB_CATEGORY_BUSINESS_INTELLIGENCE")){ ##filters on application category - we look for specific types here for our enviornment. Change to your liking. if($app.lastUsed -lt (get-date).AddDays(-14).ToString("yyyy-MM-dd") -and ($app.revised_score_total -lt 5)){ ##checks and sees if the application has been used by anyone in the organization in the last 14 days. $obj += $app ##Adds the application and the data from MCAS to the array. } } } Start-Sleep -Seconds 6 ##API Connection times out after awhile. This start sleep prevents these issues. } while($applist.count -ge 100) ##Do While loop while there still apps to be pulled $obj | Export-CSV -Path "C:\Script\apps.csv" -Force ##Exports the list to an apps csv Pretty much, the script runs and looks for applications that haven't been used in the last two weeks. If your parser and ADATP logs are constantly up to date, you should definitely have a good list of risky applications to block on your environment. If you have any questions, feel free to post below.
Cloud Discovery - No Users showing up
Hi everyone, I’m using CloudApp Security with a Cisco ASA and Firepower logs being sent to the MCAS. I also have Azure ATP deployed and working. My question, In CloudApp, under Cloud Discovery. The dashboard, Discovered App and IP Address dashboards are all populated but NOTHING under users. What data feeds populates the user’s dashboard under Cloud Discovery
MCAS Malware Scanning
I'm trying to understand the malware scanning capability of MCAS. Other CASB solutions transfer documents and data from SharePoint and Onedrive to their datacenter for malware detection and analysis. Is this also true for MCAS malware detection? From my understanding the check is done on data at rest in O365 and in connected apps. is that also true for the sandboxing capabilities that was recently announced ? https://www.microsoft.com/security/blog/2019/03/14/evolution-microsoft-threat-protection-rsa-edition-2/Recording of Cloud App Security Intro Webinar
Thanks to those of you who joined our introductory webinar for Microsoft Cloud App Security. For those who couldn't make it, you can find the recording athttps://youtu.be/dUoicG0Hc-o.Also, thanks toSebastien Molendijk for an informative presentation. If you'd like to ensure you're notified of future calls, please join our community using the instructions at https://aka.ms/SecurityCommunity.Meet the Cloud App Security team at Ignite!
Are you attending Microsoft Ignite in Orlando later this month and would like to meet the Microsoft Cloud App Security Engineering team 1:1 ? Send me a PM via Tech Community and we'll setup some time during the event to discuss all the product questions you may have!Azure Advanced Threat Protection is Now Generally Available
We’re excited to announce the general availability of Azure ATP, a cloud-based security solution that helps you detect and investigate security incidents across your networks. This is the cloud-based version of Advanced Threat Analytics (ATA). Azure ATP is able to detect advanced malicious attacks leveraging both cloud and on-premises signals, reducing false positives, and providing an end-to-end investigation experience including across endpoint and identity with Windows Defender ATP integration. Read the official announcement here. Join our Azure ATP community here.Announcement: Unified suffix domain for proxy
Hi folks, I wanted to share an important and exciting new feature that we are rolling out for Session Controls in Microsoft Cloud App Security, with impact to current users of Session Controls. We are making big improvements to our architecture for our proxy-based session controls, to leverage one unified suffix, without a named region (i.e., for commercial customers, “*.[region].cas.ms” will become “*.mcas.ms”). This change will start to hit customer tenants as early as June 7 th , but will continue to roll out gradually. This is important for several reasons: Customers who blacklist domains by default in their network appliance or gateway will need to ensure they whitelist all the domains listed here: https://docs.microsoft.com/en-us/cloud-app-security/network-requirements#access-and-session-controls Note 1: during initial deployment and roll-out of this feature, customers may transition from the previous, geo-specific domains to the unified suffix domains. Therefore, it’s important to whitelist all domains listed on this page. Note 2: If a customer is whitelisting specific IPs, they must whitelist all IPs currently listed in the network requirements across all listed Data centers. Note 3: Customers should continue to check this page for the latest information on new IP addresses, as we are constantly increasing our region sizes to scale with demand. Our architecture becomes more scalable – one region will serve any DC, meaning when we deploy a new region, it’s automatically available to any customer in MCAS Users will see a new suffix URL when Session Controls are applied, and should be aware of these changes, if the IT/IS admins in the org choose to do so. Users will no longer see DC name in the URL, which has often been confused with the location of the proxy node (which it’s not) Here is a GIF showing the new domain for Commercial customers: Let me know if you have any questions. Thanks, AlexCloud App Security Alerts not in realtime?
Hi folks, We've recently started to leverage Cloud App Security as a component of our Security Operations and while testing the impossible travel policy with a custom targeted policy for non typical work locations, we've noticed a significant delay in the alert being shown on the dashboard versus when the event actually occurred. We've seen anything from 90 minutes or worse when we compare the Audit logs in O365 and Azure for when our test users logged in from another location to the actual time we receive email notification from Cloud App Security. While we wait for a response from Cloud App Security support, I thought I might post here and see if anyone is having this same issue.German Podcast about Microsoft Cloud Technologies
Hey Everyone, whoever can understand German and is interested in Microsoft Cloud Technologies: My Friend Marco Scheel and I (Jan Geisbauer) frequently talk about Office 365, Azure AD and Cloud Security in our (more or less) weekly Podcast "Hairless in the Cloud". You can subscribe to it on one of your favorite platforms: https://anchor.fm/hairlessinthecloud Thanks and have fun listen to it! Your Hairless-Team :-)
