We’re excited to announce that the Microsoft Defender for Cloud Apps SecOps experiences are now available as part of Microsoft 365 Defender in public preview. Natively integrating the Defender for Cloud Apps experience within Microsoft 365 Defender streamlines the process of investigating and mitigating threats to your users, apps, and data - enabling you to review many alerts and incidents from a single pane of glass for more efficient investigation.
Now let’s look at the scenarios and Defender for Cloud Apps pages included in the Microsoft 365 Defender portal as part of the public preview.
Unified SOC experience
Unified Alerts Page
The unified alerts page intertwines Defender for Cloud Apps with the Microsoft 365 Defender incident . The deep integration of the alert page reduces the need to pivot between portals when diving into an alert. The structure of the alerts pages themselves is planned to remain similar to what's in Microsoft Defender for Cloud Apps, including the alert story and additional cross workloads information and reference to the related activities from the activity log where the data is available.
The first component displays linked entities such as IP address, the app – including app discovery, the account, the OAuth application and the file. Additionally, detection feedback and alert management are in the new unified view and provide an important part of Microsoft Defender for Cloud Apps logic.
In this example, an alert for an impossible travel incident is shown within Microsoft 365 Defender. Expanding the alert shows the severity, the investigative state, the category the alert falls under, the impacted assets, and more.
Image1: Integrated incident view
Security analysts can drill down deeper into the incident from within Microsoft 365 Defender.
In this example, we emulated an attack scenario where the adversary is:
Using the TOR browser to hide their IP address
Connecting with a password, that he had may found on the dark net, compromising Aldo’s account
Sending phishing emails
Manipulating an inbox rule to automatically hide replies to his mailbox
Deleting multiple emails to hide his sent emails
Turning on anonymous access to the inbox to allow him to connect to this mailbox even if the password changes
In response to this scenario, an incident was created within Microsoft 365 Defender, correlating alerts generated from Microsoft Defender for Cloud Apps, with alerts generated from Azure Active Directory Identity Protection and Microsoft 365 Defender. Expanding the alert shows the severity, the investigative state, the category the alert falls under, the impacted assets, and more.
Image 2: Incident overview
Clicking on one of the alerts will open the alert page, and show the alert page, including the involved entities, the alert’s story, and as we can see in the next example of the “Suspicious inbox manipulation rule” alert, other contextual information and activities related to this alert:
Image 4: Alert view
We’re also excited to announce that together with the Defender for Cloud Apps experience in the Microsoft 365 Defender portal, we’ve started to present the file hashes as part of the “Malware detection” alert, and it will now include also hashes for malware detected in SharePoint/OneDrive as well as for malware detected in non-Microsoft storage apps that were supported until now.
Malware detected by Defender for Cloud Apps will also present the VirusTotal detections ratio, and prevalence of the same malware on devices in the tenant:
Image 5: Malware detection alert
Unified Alerts Queue with Advanced Filters
Security analysts have access to a unified queue that shows Defender for Cloud Apps alerts within the Microsoft 365 Defender queue. The view can be customized using a flyout menu that provides a variety of filters, enabling you to identify and focus on the tasks you’re prioritizing.
Image 6: Alert filters
The activity log page that you currently access using the Defender for Cloud Apps portal is available in the Microsoft 365 Defender and provides a similar user experience. It allows pivoting to the entities in the Microsoft 365 Defender portal, such as the user page. Related security investigations for your cloud apps can now be completed using one dashboard.
The assets section in Microsoft 365 Defender creates the cross-asset story in both posture and XDR experiences and consolidates the different inventory capabilities of the Defender products. It converges into the Microsoft 365 Defender portal, allowing customers a unified place to view all their discovered assets.
The new “Identities” assets section, previously known as “Users and accounts” in the Microsoft Defender for Cloud Apps portal, consolidates all discovered identities across Active Directory, Azure Active Directory, and 3rd party applications that are connected to Microsoft Defender for Cloud Apps. This allows security teams both browsing experience and the added value for security of sorting identities by risk factors.
Image 8: Identities view
Summary and next steps
The SecOps user experience for Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and provides security teams a central experience for discovery, investigation, mitigation, and handling of incidents. App data will now also be correlated with insights from other workloads such as endpoints, mail, or identity if the relevant products are deployed in your environment to enable a centralized XDR experience.
The same functionality will co-exist in the Microsoft Defender for Cloud Apps standalone portal. The two portals are both available to you. You can continue to use the Microsoft Defender for Cloud Apps portal to shadow IT discovery, information protection, manage policies and settings configurations. We plan to converge these capabilities in Microsoft 365 Defender to enable a unified admin experience soon.