Hi @Newlife, thank you for the questions. Please see my responses below:
Alert for adding GA or adding users to a security role
Yes, these activity types are supported “Add member to group/role”. In addition, with integrations with Azure ATP, we can detect suspicious additions to sensitive groups. Custom sensitive groups can be defined by admins.
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-domain-dominance-alerts#suspic...
Another approach is to customize your filter to include the “Acitvity objects” “Activity object ID” equals the AAD group objectID from Azure AD. This can easily be added to any filter within the Activity Log by navigating to the activity and clicking the “Activity Objects”. Within those objects, there are icons to include the objects in the filter.
Alert for Adding external guests to Teams sites
We have MS Teams specific templates that will detect this activity. See below:
Access level change (Teams): Alerts when a team's access level is changed from private to public.
External user added (Teams): Alerts when an external user is added to a team.
Mass deletion (Teams): Alerts when a user deletes a large number of teams.
Alert for adding user for specific group (Like domain admin)
Same as #1
Are live monitoring control only application based “web access” or include desktop client such as “desktop Teams, desktop outlook app”?
Conditional Access App Control can monitor and control the session in real time for web-based applications. We have access control policies which can be used to block the desktop and mobile clients.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls
When will the enforcement occur following a monitoring alert? How much time? (without reverse proxy)
When using Conditional Access App Control, session controls are in real time. If you elect to monitor the session, no controls will be used. This provides an avenue to analyze user behavior to understand under what conditions session policies should be applied in the future. Without CaaC enabled, you can leverage API connected application that perform governance functionality in near real time.
https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governa...
They want to create alerts when someone upload or download files in Teams
We have activity filters that support upload/download file.
Specific alert if there is sensitive information in the file.
File policies support DLP functionality.
https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policies
MCAS to block and protect download of sensitive data to unmanaged or risky devices: Can they do it with OCAS?
Only for Office Apps but the license requirements also include Azure AD P1.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad
Can it apply only on web app or include desktop app?
Only web-based applications. You would need to use access policies to limit desktop and mobile applications to provide a comprehensive approach to securing those apps.
Are all the built-in policies that we can see in the OCAS portal can be applied?
Yes
Blocking / alert for sharing files based on if the user is external or internal user.
That control should be handled with the native tools built into OD4B/Sharepoint https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview
Block and alert if the connection to O365 portal and O365 services was from other country then Israel.
This can be done with Azure AD Conditional Access Policies.
Alerts can be configured in CAS to filter on activity type such as logon and location.
If you have any more question, feel free to reach out.