Microsoft Defender for Cloud Apps - Ninja Training
Welcome to our Ninja Training for Microsoft Defender for Cloud Apps! Are you trying to protect your SaaS applications? Are you concerned about the posture of the apps you are using? Is shadow IT or AI a concern of yours? Then you are in the right place. The training below will aggregate all the relevant resources in one convenient location for you to learn from. Let’s start here with a quick overview of Microsoft Defender for Cloud Apps’ capabilities. Microsoft Defender for Cloud Apps | Microsoft Security Overview of Microsoft Defender for Cloud Apps and the capability of a SaaS Security solution. Overview - Microsoft Defender for Cloud Apps | Microsoft Learn Understand what Microsoft Defender for Cloud Apps is and read about its main capabilities. Quick Start The basic features of Defender for Cloud Apps require almost no effort to deploy. The recommended steps are to: Connect your apps Enable App Discovery Enable App Governance After enabling these features, all default detections and alerts will start triggering in the Microsoft Defender XDR console, and give you tremendous value with minimal configuration. Simplified SaaS Security Deployment with Microsoft Defender for Cloud Apps | Virtual Ninja Training Step-by-step video on how to quickly deploy Defender for Cloud Apps Get started - Microsoft Defender for Cloud Apps This quickstart describes how to start working with Microsoft Defender for Cloud Apps on the Microsoft Defender Portal. Review this if you prefer text to video Basic setup - Microsoft Defender for Cloud Apps The following procedure gives you instructions for customizing your Microsoft Defender for Cloud Apps environment. Connect apps to get visibility and control - Microsoft Defender for Cloud Apps App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Defender for Cloud Apps over the apps you connect to. Make sure to connect all your available apps as you start your deployment Turn on app governance in Microsoft Defender for Cloud Apps App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights out-of-the box threat detections, OAuth apps attack disruption, automated policy alerts and actions. It only takes a few minutes to enable and provide full visibility on your users’ Oauth app consents Shadow IT Discovery - Integrate with Microsoft Defender for Endpoint This article describes the out-of-the-box integration available between Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint, which simplifies cloud discovery and enabling device-based investigation. Control cloud apps with policies Policies in Microsoft Defender for Cloud Apps help define user behavior in the cloud, detect risky activities, and enable remediation workflows. There are various types of policies, such as Activity, Anomaly Detection, OAuth App, Malware Detection, File, Access, Session, and App Discovery policies. These policies help mitigate risks like access control, compliance, data loss prevention, and threat detection. Detect Threats and malicious behavior After connecting your cloud apps in Defender for Cloud Apps, you will start seeing alerts in your XDR portal. Here are resources to learn more about these alerts and how to investigate them. Note that we are constantly adding new built-in detections, and they are not necessarily part of our public documentation. How to manage incidents - Microsoft Defender XDR Learn how to manage incidents, from various sources, using Microsoft Defender XDR. How to investigate anomaly detection alerts Microsoft Defender for Cloud Apps provides detections for malicious activities. This guide provides you with general and practical information on each alert, to help with your investigation and remediation tasks. Note that detections are added on a regular basis, and not all of them will have entries in this guide. Configure automatic attack disruption in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Learn how to take advantage of XDR capabilities to automatically disrupt high confidence attacks before damage is done. OAuth apps are natively integrated as part of Microsoft XDR. Create activity policies - Microsoft Defender for Cloud Apps | Microsoft Learn In addition to all the built-in detections as part of Microsoft Defender for Cloud Apps, you can also create your own policies, including Governance actions, based on the Activity log captured by Defender for Cloud Apps. Create and manage custom detection rules in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Learn how to leverage XDR custom detection rules based on hunting data in the platform. CloudAppEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn Learn about the CloudAppEvents table which contains events from all connected applications with data enriched by Defender for Cloud Apps in a common schema. This data can be hunted across all connected apps and your separate XDR workloads. Investigate behaviors with advanced hunting - Microsoft Defender for Cloud Apps | Microsoft Learn Learn about behaviors and how they can help with security investigations. Investigate activities - Microsoft Defender for Cloud Apps | Microsoft Learn Learn how to search the activity log and investigate activities with a simple UI without the need for KQL App Governance – Protect from App-to-App attack scenario App governance in Microsoft Defender for Cloud Apps is crucial for several reasons. It enhances security by identifying and mitigating risks associated with OAuth-enabled apps, which can be exploited for privilege escalation, lateral movement, and data exfiltration. Organizations gain clear visibility into app compliance, allowing them to monitor how apps access, use, and share sensitive data. It provides alerts for anomalous behaviors, enabling quick responses to potential threats. Automated policy alerts and remediation actions help enforce compliance and protect against noncompliant or malicious apps. By governing app access, organizations can better safeguard their data across various cloud platforms. These features collectively ensure a robust security posture, protecting both data and users from potential threats. Get started with App governance - Microsoft Defender for Cloud Apps Learn how app governance enhances the security of SaaS ecosystems like Microsoft 365, Google Workspace, and Salesforce. This video details how app governance identifies integrated OAuth apps, detects and prevents suspicious activity, and provides in-depth monitoring and visibility into app metadata and behaviors to help strengthen your overall security posture. App governance in Microsoft Defender for Cloud Apps and Microsoft Defender XDR - Microsoft Defender for Cloud Apps | Microsoft Learn Defender for Cloud Apps App governance overview Create app governance policies - Microsoft Defender for Cloud Apps | Microsoft Learn Many third-party productivity apps request access to user data and sign in on behalf of users for other cloud apps like Microsoft 365, Google Workspace, and Salesforce. Users often accept these permissions without reviewing the details, posing security risks. IT departments may lack insight into balancing an app's security risk with its productivity benefits. Monitoring app permissions provides visibility and control to protect your users and applications. App governance visibility and insights - Microsoft Defender for Cloud Apps | Microsoft Learn Managing your applications requires robust visibility and insight. Microsoft Defender for Cloud Apps offers control through in-depth insights into user activities, data flows, and threats, enabling effective monitoring, anomaly detection, and compliance Reduce overprivileged permissions and apps Recommendations for reducing overprivileged permissions App Governance plays a critical role in governing applications in Entra ID. By integrating with Entra ID, App Governance provides deeper insights into application permissions and usage within your identity infrastructure. This correlation enables administrators to enforce stringent access controls and monitor applications more effectively, ensuring compliance and reducing potential security vulnerabilities. This page offers guidelines for reducing unnecessary permissions, focusing on the principle of least privilege to minimize security risks and mitigate the impact of breaches. Investigate app governance threat detection alerts List of app governance threat detection alerts classified according to MITRE ATT&CK and investigation guidance Manage app governance alerts Learn how to govern applications and respond to threat and risky applications directly from app governance or through policies. Hunt for threats in app activities Learn how to hunt for app activities directly form the XDR console (Microsoft 365 Connector required as discussed in quick start section). How to Protect Oauth Apps with App Governance in Microsoft Defender for Cloud Apps Webinar | How to Protect Oauth Apps with App Governance in Microsoft Defender for Cloud Apps. Learn how to protect Oauth applications in your environment, how to efficiently use App governance within Microsoft Defender for Cloud Apps to protect your connected apps and raise your security posture. App Governance is a Key Part of a Customers' Zero Trust Journey Webinar| learn about how the app governance add-on to Microsoft Defender for Cloud Apps is a key component of customers' Zero Trust journey. We will examine how app governance supports managing to least privilege (including identifying unused permissions), provides threat detections that are able and have already protected customers, and gives insights on risky app behaviors even for trusted apps. App Governance Inclusion in Defender for Cloud Apps Overview Webinar| App governance overview and licensing requirements. Frequently asked questions about app governance App governance FAQ Manage the security Posture of your SaaS (SSPM) One of the key components of Microsoft Defender for Cloud Apps is the ability to gain key information about the Security posture of your applications in the cloud (AKA: SaaS). This can give you a proactive approach to help avoid breaches before they happen. SaaS Security posture Management (or SSPM) is part the greater Exposure Management offering, and allows you to review the security configuration of your key apps. More details in the links below: Transform your defense: Microsoft Security Exposure Management | Microsoft Secure Tech Accelerator Overview of Microsoft Exposure Management and it’s capabilities, including how MDA & SSPM feed into this. SaaS Security Posture Management (SSPM) - Overview - Microsoft Defender for Cloud Apps | Microsoft Learn Understand simply how SSPM can help you increase the safety of your environment Turn on and manage SaaS security posture management (SSPM) - Microsoft Defender for Cloud Apps | Microsoft Learn Enabling SSPM in Defender for Cloud Apps requires almost no additional configuration (as long as your apps are already connected), and no extra license. We strongly recommend turning it on, and monitoring its results, as the cost of operation is very low. SaaS Security Initiative - Microsoft Defender for Cloud Apps | Microsoft Learn The SaaS Security Initiative provides a centralized place for software as a service (SaaS) security best practices, so that organizations can manage and prioritize security recommendations effectively. By focusing on the most impactful metrics, organizations can enhance their SaaS security posture. Secure your usage of AI applications AI is Information technologies’ newest tool and strongest innovation area. As we know it also brings its fair share of challenges. Defender for Cloud Apps can help you face these from two different angles: - First, our App Discovery capabilities give you a complete vision of all the Generative AI applications in use in an environment - Second, we provide threat detection capabilities to identify and alert from suspicious usage of Copilot for Microsoft 365, along with the ability to create custom detection using KQL queries. Secure AI applications using Microsoft Defender for Cloud Apps Overview of Microsoft Defender for Cloud Apps capabilities to secure your usage of Generative AI apps Step-by-Step: Discover Which Generative AI Apps Are Used in Your Environment Using Defender for Cloud Apps Detailed video-guide to deploy Discovery of Gen AI apps in your environment in a few minutes Step-by-Step: Protect Your Usage of Copilot for M365 Using Microsoft Defender for Cloud Apps Instructions and examples on how to leverage threat protection and advanced hunting capabilities to detect any risky or suspicious usage of Copilot for Microsoft 365 Get visibility into DeepSeek with Microsoft Defender for Cloud Apps Understand how fast the Microsoft Defender for Cloud Apps team can react when new apps or new threats come in the market. Discover Shadow IT applications Shadow IT and Shadow AI are two big challenges that organizations face today. Defender for Cloud Apps can help give you visibility you need, this will allow you to evaluate the risks, assess for compliance and apply controls over what can be used. Getting started The first step is to ensure the relevant data sources are connected to Defender for Cloud Apps to provide you the required visibility: Integrate Microsoft Defender for Endpoint - Microsoft Defender for Cloud Apps | Microsoft Learn The quickest and most seamless method to get visibility of cloud app usage is to integrate MDA with MDE (MDE license required). Create snapshot cloud discovery reports - Microsoft Defender for Cloud Apps | Microsoft Learn A sample set of logs can be ingested to generate a Snapshot. This lets you view the quality of the data before long term ingestion and also be used for investigations. Configure automatic log upload for continuous reports - Microsoft Defender for Cloud Apps | Microsoft Learn A log collector can be deployed to facilitate the collection of logs from your network appliances, such as firewalls or proxies. Defender for Cloud Apps cloud discovery API - Microsoft Defender for Cloud Apps | Microsoft Learn MDA also offers a Cloud Discovery API which can be used to directly ingest log information and mitigate the need for a log collector. Evaluate Discovered Apps Once Cloud Discovery logs are being populated into Defender for Cloud Apps, you can start the process of evaluating the discovered apps. This includes reviewing their usage, user count, risk scores and compliance factors. View discovered apps on the Cloud discovery dashboard - Microsoft Defender for Cloud Apps | Microsoft Learn View & evaluate the discovered apps within Cloud Discovery and Generate Cloud Discovery Executive Reports Working with the app page - Microsoft Defender for Cloud Apps | Microsoft Learn Investigate app usage and evaluate their compliance and risk factors Discovered app filters and queries - Microsoft Defender for Cloud Apps | Microsoft Learn Apply granular filtering and app tagging to focus on apps that are important to you Work with discovered apps via Graph API - Microsoft Defender for Cloud Apps | Microsoft Learn Investigate discovered apps via the Microsoft Graph API Add custom apps to cloud discovery - Microsoft Defender for Cloud Apps | Microsoft Learn You can add custom apps to the catalog which can then be matched against log data. This is useful for LOB applications. Govern Discovered Apps Having evaluated your discovered apps, you can then take some decisions on what level of governance and control each of the applications require and whether you want custom policies to help govern future applications: Govern discovered apps using Microsoft Defender for Endpoint - Microsoft Defender for Cloud Apps | Microsoft Learn Setup governance enforcement actions when using Microsoft Defender for Endpoint Govern discovered apps - Microsoft Defender for Cloud Apps | Microsoft Learn Apply governance actions to discovered apps from within the Cloud Discovery area Create cloud discovery policies - Microsoft Defender for Cloud Apps | Microsoft Learn Create custom Cloud Discovery policies to identify usage, alert and apply controls Operations and investigations - Sample AH queries - Tips on investigation - (section for SOC) Advanced Hunting Compromised and malicious applications investigation | Microsoft Learn Investigate anomalous app configuration changes Impersonation and EWS in Exchange | Microsoft Learn Audits impersonate privileges in Exchange Online Advanced Hunting Queries Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml at master · Azure/Azure-Sentinel · GitHub This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent. This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml at master · Azure/Azure-Sentinel · GitHub This rule looks for a service principal being granted permissions that could be used to add a Microsoft Entra ID object or user account to an Admin directory role. Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml at master · Azure/Azure-Sentinel · GitHub Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the known Applications list is expanded Best Practice recommendations Common threat protection policies - Microsoft Defender for Cloud Apps | Microsoft Learn Common Defender for Cloud Apps Threat Protection policies Recommended Microsoft Defender for Cloud Apps policies for SaaS apps | Microsoft Learn Recommended Microsoft Defender for Cloud Apps policies for SaaS apps Best practices for protecting your organization - Microsoft Defender for Cloud Apps | Microsoft Learn Best practices for protecting your organization with Defender for Cloud Apps Completion certificate! Click here to get your shareable completion certificate!! Advanced configuration Training Title Description Importing user groups from connect apps This article outlines the steps on how to import user groups from connected apps Manage Admin Access This article describes how to manage admin access in Microsoft Defender for Cloud Apps. Configure MSSP Access In this video, we walk through the steps on adding Managed Security Service Provider (MSSP) access to Microsoft Defender for Cloud Apps. Provide managed security service provider (MSSP) access - Microsoft Defender XDR | Microsoft Learn Provide managed security service provider (MSSP) access Integrate with Secure Web Gateways Microsoft Defender for Cloud Apps integrates with several secure web gateways available in the market. Here are the links to configure this integration. Integrate with Zscaler Integrate with iboss Integrate with Corrata Integrate with Menlo Additional resources Microsoft Defender for Cloud Apps Tech Community This is a Microsoft Defender for Cloud Apps Community space that allows users to connect and discuss the latest news, upgrades, and best practices with Microsoft professionals and peers.Microsoft Security in Action: Zero Trust Deployment Essentials for Digital Security
The Zero Trust framework is widely regarded as a key security model and a commonly referenced standard in modern cybersecurity. Unlike legacy perimeter-based models, Zero Trust assumes that adversaries will sometimes get access to some assets in the organization, and you must build your security strategy, architecture, processes, and skills accordingly. Implementing this framework requires a deliberate approach to deployment, configuration, and integration of tools. What is Zero Trust? At its core, Zero Trust operates on three guiding principles: Assume Breach (Assume Compromise): Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly. Verify Explicitly: Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry. Use Least Privileged Access: Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk-based policies like adaptive access control. Implementing a Zero Trust architecture is essential for organizations to enhance security and mitigate risks. Microsoft's Zero Trust framework essentially focuses on six key technological pillars: Identity, Endpoints, Data, Applications, Infrastructure, & Networks. This blog provides a structured approach to deploying each pillar. 1. Identity: Secure Access Starts Here Ensure secure and authenticated access to resources by verifying and enforcing policies on all user and service identities. Here are some key deployment steps to get started: Implement Strong Authentication: Enforce Multi-Factor Authentication (MFA) for all users to add an extra layer of security. Adopt phishing-resistant methods, such as password less authentication with biometrics or hardware tokens, to reduce reliance on traditional passwords. Leverage Conditional Access Policies: Define policies that grant or deny access based on real-time risk assessments, user roles, and compliance requirements. Restrict access from non-compliant or unmanaged devices to protect sensitive resources. Monitor and Protect Identities: Use tools like Microsoft Entra ID Protection to detect and respond to identity-based threats. Regularly review and audit user access rights to ensure adherence to the principle of least privilege. Integrate threat signals from diverse security solutions to enhance detection and response capabilities. 2. Endpoints: Protect the Frontlines Endpoints are frequent attack targets. A robust endpoint strategy ensures secure, compliant devices across your ecosystem. Here are some key deployment steps to get started: Implement Device Enrollment: Deploy Microsoft Intune for comprehensive device management, including policy enforcement and compliance monitoring. Enable self-service registration for BYOD to maintain visibility. Enforce Device Compliance Policies: Set and enforce policies requiring devices to meet security standards, such as up-to-date antivirus software and OS patches. Block access from devices that do not comply with established security policies. Utilize and Integrate Endpoint Detection and Response (EDR): Deploy Microsoft Defender for Endpoint to detect, investigate, and respond to advanced threats on endpoints and integrate with Conditional Access. Enable automated remediation to quickly address identified issues. Apply Data Loss Prevention (DLP): Leverage DLP policies alongside Insider Risk Management (IRM) to restrict sensitive data movement, such as copying corporate data to external drives, and address potential insider threats with adaptive protection. 3. Data: Classify, Protect, and Govern Data security spans classification, access control, and lifecycle management. Here are some key deployment steps to get started: Classify and Label Data: Use Microsoft Purview Information Protection to discover and classify sensitive information based on predefined or custom policies. Apply sensitivity labels to data to dictate handling and protection requirements. Implement Data Loss Prevention (DLP): Configure DLP policies to prevent unauthorized sharing or transfer of sensitive data. Monitor and control data movement across endpoints, applications, and cloud services. Encrypt Data at Rest and in Transit: Ensure sensitive data is encrypted both when stored and during transmission. Use Microsoft Purview Information Protection for data security. 4. Applications: Manage and Secure Application Access Securing access to applications ensures that only authenticated and authorized users interact with enterprise resources. Here are some key deployment steps to get started: Implement Application Access Controls: Use Microsoft Entra ID to manage and secure access to applications, enforcing Conditional Access policies. Integrate SaaS and on-premises applications with Microsoft Entra ID for seamless authentication. Monitor Application Usage: Deploy Microsoft Defender for Cloud Apps to gain visibility into application usage and detect risky behaviors. Set up alerts for anomalous activities, such as unusual download patterns or access from unfamiliar locations. Ensure Application Compliance: Regularly assess applications for compliance with security policies and regulatory requirements. Implement measures such as Single Sign-On (SSO) and MFA for application access. 5. Infrastructure: Securing the Foundation It’s vital to protect the assets you have today providing business critical services your organization is creating each day. Cloud and on-premises infrastructure hosts crucial assets that are frequently targeted by attackers. Here are some key deployment steps to get started: Implement Security Baselines: Apply secure configurations to VMs, containers, and Azure services using Microsoft Defender for Cloud. Monitor and Protect Infrastructure: Deploy Microsoft Defender for Cloud to monitor infrastructure for vulnerabilities and threats. Segment workloads using Network Security Groups (NSGs). Enforce Least Privilege Access: Implement Just-In-Time (JIT) access and Privileged Identity Management (PIM). Just-in-time (JIT) mechanisms grant privileges on-demand when required. This technique helps by reducing the time exposure of privileges that are required for people, but are only rarely used. Regularly review access rights to align with current roles and responsibilities. 6. Networks: Safeguard Communication and Limit Lateral Movement Network segmentation and monitoring are critical to Zero Trust implementation. Here are some key deployment steps to get started: Implement Network Segmentation: Use Virtual Networks (VNets) and Network Security Groups (NSGs) to segment and control traffic flow. Secure Remote Access: Deploy Azure Virtual Network Gateway and Azure Bastion for secure remote access. Require device and user health verification for VPN access. Monitor Network Traffic: Use Microsoft Defender for Endpoint to analyze traffic and detect anomalies. Taking the First Step Toward Zero Trust Zero Trust isn’t just a security model—it’s a cultural shift. By implementing the six pillars comprehensively, organizations can potentially enhance their security posture while enabling seamless, secure access for users. Implementing Zero Trust can be complex and may require additional deployment approaches beyond those outlined here. Cybersecurity needs vary widely across organizations and deployment isn’t one-size-fits all, so these steps might not fully address your organization’s specific requirements. However, this guide is intended to provide a helpful starting point or checklist for planning your Zero Trust deployment. For a more detailed walkthrough and additional resources, visit Microsoft Zero Trust Implementation Guidance. The Microsoft Security in Action blog series is an evolving collection of posts that explores practical deployment strategies, real-world implementations, and best practices to help organizations secure their digital estate with Microsoft Security solutions. Stay tuned for our next blog on deploying and maximizing your investments in Microsoft Threat Protection solutions.Unveiling digital threats: East Asia’s emerging threat landscape
Dive in and explore emerging trends in East Asia’s evolving threat landscape, where China conducts both widespread cyber and influence operations (IO), while North Korean cyber threat actors demonstrate growing sophistication. [thumbnail img]Microsoft Quarterly Cyber Signals Report: Issue 5, State of Play
Cyber Signals is a quarterly cyber threat intelligence report informed by the latest Microsoft threat data and research, offering an expert perspective into the current threat landscape, while discussing trending tactics, techniques, and strategies used by the world’s most prolific threat actors.
