Microsoft Cloud App Security | All the settings covered in less than 30 Minutes

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys hope you're all doing well welcome back to our channel and in this video i'm going to talk about microsoft cloud app security and i'm going to discuss each and every setting option that's available on mcas portal now the reason behind covering each and every option that's available on mcas portal because this is something which is going to help you in doing more sophisticated investigations and this is something which is also going to let you know uh the possibilities which are available that means the amount of capabilities which are available that can be integrated with mcas itself and there must be something you know that you're trying to achieve and if you want to know where exactly you should go this video is going to help you out so as i've said before the core agenda of this video will be knowing each and every sitting that exists on mcas portal and not only this how does the integration works between defender for endpoints and i'm gas azure 80 identity protection and mcas and last but not least azure information protection and mcas so now i'm going to switch to my browser where i have signed in with global admin permission to portal.cloudappsecurity.com which is the portal link to go ahead and access and gas portal and as you can see as of now i'm at the home page of my mcas portal now if i'll go to my right hand side and if i'll go ahead and click on this option which says settings you can see i'm getting a lot more options over here but if i'll click on settings tab itself again there are multiple options which are getting listed over here now my agenda is to go ahead and cover each and every option that exists here as well as at this particular section okay so let's proceed by going to governance log now the amount of information or the kind of information that will get listed over here will be basically the governance actions that you have taken and some audited information with respect to those actions that you have created likewise whether you have generated any report or not or whether you have created a snapshot report or not okay i'll again click on settings and now i'll go to security section now this is the section which is very important for admins as well as developers because since you know that all the information which is getting generated by mcas can be queried with the help of the apis which are available so if i'll click on help and if i'll click on api documentation i will be redirected to a page wherein some set of apis and some sort of methods will be listed in terms of how i can go ahead and query the mcas information right now this section that you see here will help you to create the api token that will be used to query the information which mcas is generating with the help of an api okay so if i'll click on our token i can actually go ahead and name anything over here and then i can create one token for myself that i will be using to go ahead and query some sort of information which is generated by mcas okay so i'll click on close the next option is sim agent now since microsoft cloud app security is integrated with azure sentinel out of the box all you need is an active subscription a working log analytics workspace which will be binded to azure sentinel obviously and then you can go ahead and click on add sim agent and then click on azure sentinel that means the telemetry which is captured by mcas will be sent to the log analytics workspace which azure sentinel is being used to set up for okay but if you have uh let's say some other sim when you want to query the same set of information which m gas is generating then you can actually go ahead and follow the steps which will be redirected or which will be listed on this particular console now by default you can actually go ahead and query the generic cef format but microfocus oxide is something which is listed out of the box okay so i'll click on quit and then i'll click on external dlp now since we know that microsoft 365 dlp capabilities are integrated with mks out of the box but you can actually go ahead and add other dlp solutions as well and some of them are listed over here right that means the rules that you are defining uh for different kind of data sets that has to be checked or different kind of policies can be used with mcas basically now this is something which is moreover focused towards the data protection part that means how you're going to make sure that any information that is confidential for your enterprise should not get leaked on a device let's say which is not trusted or there should be no data exfiltration these are some of you know hypothetical examples that i'm giving but the actual focus of this particular console is to go ahead and add the external dlp solutions that you have okay now i'll click on playbook now if you remember there is or there was a solution which was named as microsoft flow was there to define some of the flows that should get triggered if a specific activity is happening or if a specific activity is a resultant of some policy that you have already created now uh the previous name was microsoft flow but now this is something which is named as power automate because this is a kind of a service which now falls under the scope of power platform itself so this particular console that you see here right now you can use that to go ahead and create your own custom flows that you can bind with policies that means if any specific activity that's matching this policy is getting triggered then this specific flow should get triggered also something like that okay now i'll again click on setting and the next option is manage admin access now this is something which i have already covered in a lot more detail but then i have discussed that this is moreover related to the role based access control capabilities of mcas portal itself that means if i'll click on add user i can actually go ahead and select any of these options and then depending upon the role that i have assigned to a specific user he or she will be able to do or perform a certain activity the next option that we see here is exported reports now depending upon the investigation that you are doing let's say for shadow id or for conditional access app control and depending upon the data that you are exporting all those reports will get listed over here that can be reviewed later or downloaded later okay the next option is scoped deployment and privacy now this is also something which i have covered in a lot more detail in a session control video but i'll just give a brief overview here depending upon your requirement you can either include or exclude specific set of group of users on the policies that you are creating but when i talk about this last section which says activity privacy this is something which is very important and i would like to explain this with an example let's say there are five users for which uh privacy is the key concern let's say there are executives or some users for which you don't want any uh random admin to go ahead and read the activities what they are doing right so in this case you'll define a privacy pattern for them and then you will align a specific admin to go ahead and read the information for those particular users this kind of setting is actually been done from here okay so as you can see that it says that control the privacy of user activities step number one and then only admins with relevant permission can view the hidden activities right so now i'll again click on settings and then i'll click on log collector now what you see here by default getting listed is microsoft defender for endpoints now there is a very specific reason why this information is getting listed over here because for this particular tenant or for this particular directory or for this particular set of licenses that i have i have already integrated microsoft defender for endpoints with mcas now the question comes how you can do that all you have to do is go to securitycenter.windows.com then click on settings and then click on advanced features now scroll down there will be an option which says microsoft cloud app security the moment you will click on this option the telemetry which is getting captured by microsoft defender for endpoints will be injected or will be shared with mcas itself so that mcas can perform shadow id part right let me explain this with an example if i have log collectors in an on-prem environment what will happen if the user goes you know works from home which is now the new normal from so many months and this is how it is going to be as well let's assume in the future that there must be some agent that sits on a box or on a machine that can send the telemetry now if you have microsoft defender for endpoints which is uh the md adp with whichever name it is known to you there is a very specific telemetry that gets captured from that particular device now if that telemetry which md atp is capturing gets shared with mcas mcas can go ahead and perform and check for shadow id part which is happening on that particular device altogether but this is the same console which you will be using to add the appliances that exist in your on-prem environment right so you will choose any one of these options and then you'll go ahead and set up a docker which will receive the logs from your appliance and then that particular docker is going to send that information to mcas instance okay now i'll again click on setting and then i'll click on app connectors now this is something again which i have very precisely covered in the previous videos as well that depending upon the app that you're going to add depending upon the capabilities that are available uh from these application site likewise they have certain apis which are available for public consumption so that they can go ahead or read the activities which are happening so to explain this with an example that let's say i have a user for which i have uh you know salesforce instance or i have i'm using salesforce and i have assigned this application to multiple users then if i integrate salesforce here with mcas then mcas can actually go ahead and read all the activities of my salesforce tenant and then it can show me all those activities on the mcas control itself right now this is the purpose of this particular option and as you can see there are some predefined apps which get listed over here but let's say if you have any application which you want to get listed you can actually click on this option and just suggest that application to microsoft's team okay now i'll again click on settings and the next option is conditional access our control very briefly covered in the previous videos typically session controls are the examples that i have covered so if you want you can go ahead and watch the previous videos and you'll get a lot more insights it's just that you'll click on settings and if you click on this option you'll get routed to this particular section right the next option is ip address range moreover defining named locations concept that means there is a specific range that you're going to define and then you can actually use this particular location or this particular name and in your policy to either include or exclude as a part of you know as a part of a scope that a policy has to apply and then you have user groups a very important option but then you can actually import the groups which are defined at the different connected apps so as of now this particular instance only have office 365 listed so that's the reason why all the groups that exist in my azure ad is getting listed over here but let's say if i have multiple other applications then all the groups that exist for my other applications will also get listed over here okay so now i'll again click on settings and i'll go to the settings tab now what you see is the first option which is moreover related to some of your branding settings as well that means organization name and organization logo and what you see here is a managed domain section now whatever domains you have added by default in your directory will get listed over here as managed domain but if you want you can add some external domain here as well and then use those domains as an exclusion or inclusion in your policies that you are creating okay the next one is mail setting now whenever there is any anomaly or whether there is any alert that mcas as a service has to send to the user there is a specific template which is getting used by default if you want you can create your own template and then upload it at the moment you upload it you can click on send a test mail now with whichever account you're logged in as of now that particular user is going to receive that email you can go ahead and verify the format or the set of information which is getting sent by and cast depending upon the custom template obviously that you have uploaded okay the next one is export portal settings now there is something which i was not able to find that though this particular option will help you to download a json file that will have a dump of all the settings that you have on mcas portal it's it's a kind of a dump that you can create and as you can see it's specifically mentioned over here that export your portal configuration include including policy rules user groups and ip address range but unfortunately i have was not able to find any option to import these settings so i'm not sure uh you know whether the this dump that we are taking as of now can be used anywhere or not okay the next one is automatic sign out now depending upon the threshold that you're defining here well let's say 15 minutes 20 minutes or whatever set of options are available over here if this threshold reaches an active session then the user should be signed out the next one is activity privacy now this is again something which is moreover related to scope deployment itself which i have specifically covered when we were talking about the options that we have navigated from here right the next one is cloud discovery and the first option is score metrics now depending upon the risk parameters which are evaluated for an application and then a risk score is displayed on the shadow id console or the discovered app section is something that can be customized from here that means you can actually go ahead and define the importance of a specific feature that has to be available for a specific application and depending upon the customization that you are doing from here it can be compliance it can be legal it can be security it can be anything depending upon the customization that you are doing the risk score of your application is going to be customized right now the next section is snapshot report now this is something which i have again covered in a lot more detail that you can actually download a sample file from mcas portal itself okay so the moment i'll go ahead and select any of the appliance here i'll get a sample file the moment i'll download the sample file i can just upload that file and see how the interface of mcas portal is showing the results but the actual purpose of this option is to go ahead and upload some of the logs that are generated by your appliance that you're using in your on-prem environment so that you can actually go ahead and see how much insights you are getting from the shadow id part or the shadow id service or the capability which mcas has to offer in a nutshell you can use this console to upload a very small part of the logs that are getting generated in your on-prem environment but obviously for the production environments it's always recommended to either have your md atp directly integrated with mks or automatic log uploader to be there in your on-prem environment okay the next section is continuous report you can actually go ahead and create sample reports and you can scope that for a specific user or for a group or let's say there is a very specific requirement for your executives you know to be uh there should be no user risk with their accounts so you can actually go ahead and create a continuous report for them and again as i said before when it comes to filtering you have these three type of filters available you can actually go ahead and just you know do a different combination and then a specific report will be generated for you the next one is automatic log upload this is something which i have already discussed that this option is coming here because md atp or microsoft defender for endpoint is directly integrated with the sim cast instance but when we talk about production environment not only mdadp but you may have certain appliances which you want to set up with the help of automatic log upload wherein there is a dedicated docker that will exist in your on-prem environment if it is an on-prem solution and that will send the information to mcas instance altogether the next one is apptag now think about this that there is an application which has a very low risk score but for some reason it is getting used by many of your users okay in this case you may not want to just go ahead and block that application right you so you'll keep that application in a monitoring phase you'll have some set of users who can go ahead and manage those activities and then if required that application will be blocked so instead of having only two tags sanctioned and unsanctioned you can have different app tags as well depending upon your requirement you can align those tags to those particular applications this one that you see here is exclude entities you can go ahead and exclude users ip address uh range that you have defined or specific devices and then you can go ahead you know and have a specific set of telemetry that will be shown to your shadow id part or your policy insights whatever you want this section is basically there to exclude a specific entities from getting monitored from mcas then this section that you see here is microsoft defender for endpoints now think about this when you have uh on-prem appliances and when you are sending uh data or when you are uploading a data as we know that there are certain block scripts that you have to run okay so if i'll go to my dashboard and if i'll let's say if i'll go to discover and then if i'll go to cloud discovery dashboard you see this option which says generate block script now this is something which is going to create a script for you that you will be running on your on-prem appliance so that the respective applications can be blocked but that's not the case when you have md atp integration with mcas that means what do i mean by this that the moment you will mark any application as an unsanctioned application the access will be blocked so what you see here is microsoft defender for endpoint integration block unsanctioned apps enable enabling this will block endpoint access to cloud apps marked as unsanctioned and cloud app security right and then you can actually go ahead and define your own alert severity that okay this was the application that has been blocked and then a specific alert will be generated okay then what you see here the next one is the user enrichment honestly speaking the name resolution of the users that exist in your azure ad it happens by default so i have never enabled this feature in any of my instances or in in any of my environments but if we talk about the actual purpose of this particular option itself as you can see it is clearly mentioned over here user enrichment automatically matches enriches and replaces discovered user identifiers with azure active directory username so i think this is a kind of a feature which exists by default because mcas is something that uses azure 80 you know as an identity provider but let's say if there are some unusual ways or some irrelevant information that's coming honestly i have never seen that but i'm just giving you an hypothetical example then the name for name resolution process you can actually enable this particular feature altogether then you have anonymization now this is something which is moreover related to users privacy concern itself so instead of just highlighting the names of the users okay likewise if i'll go to any of my report let's i'll go to cloud discovery dashboard and if i'll go to the users section by selecting a proper report altogether that's i've gone snapshot report there will be a user section that you see here instead of highlighting or instead of mentioning the names like this directly these ids should be anonymized and how you can do that by going ahead and selecting these options likewise anonymize user names by default or device names by default okay then deleting data if you want you can just delete your entire mcas data now there is a very specific limit uh which is required or the time frame which is required by microsoft to completely remove your data i'll add that article in the description section if possible please go ahead and read that article as well the next section is thread protection now if you have azure atp license it's an on-prem uh technology and the new name for that is microsoft defender for identity that means when i say on-prem i specifically mean that azure atp instance or microsoft defender for identity that you set up on-prem actually goes and monitors all the activities that's happening for a user with the help of the logs that it captures from your domain controllers and lately the support for adfs has also been announced that means uh the agents that you were installing on your domain controllers similarly there is an adfs agent as well that can be installed so that you should have a unified telemetry now if you will enable this particular option the insights that are getting generated from microsoft defender for identity or azure atp with whichever name you know that particular product gets shared with mcas and you'll have more correlated insights okay the next one is azure id identity protection which is very much obvious because azure id identity protection also goes ahead and monitors for user anomalies which are happening then you have information protection section the first one is admin quarantine now let's say you have a policy which says if any file which is password protected is getting detected in a specific onedrive instance or some app instance some some policy which is moreover related to file monitoring that you have created and you want to call and time that that in that case that application should be quarantined somewhere so this section will help you to select that particular location that where exactly you want the file to be qualified okay the next one is the integration of azure information protection now you have to make sure that the first option is selected because this is something which is going to monitor all the labeled and unlabeled content that exists in multiple repositories because if you will select the second option which specifically says only scan files for azure information protection classification label and content inspection warning from this particular thing then in this case uh majorly the classified files that exist for your tenant specifically will get monitored so my suggestion would be always select the first option now once you select the first option instead of save what you see here you'll get a option named as grant you have to click on that and then you have to accept the consent that aip service is getting accessed by mcas the moment you'll accept that consent you'll get this particular option which says active over here then you have the integration between mcas and azure security center all you have to do is you have to click on this option and then click on save now before mcas can go ahead and monitor any files or any data that's generated by your sas applications you have to enable this option which says enable file monitoring and then just click on save the last section is conditional access app control now let's say for some reason session control is down i'm talking about system down time i'm talking about uh the services around itself in that case whether you want the users to have access or you want the users to block access that's the purpose of this option which says default behavior then you have user monitoring that means when the user has been scoped for a session control policy and the controls are actually getting triggered in that case whether there should be any message that should be shown to the user or not if yes then you can actually go ahead and customize your message as well then you have device identification section now by default mcas understands the intune compliant devices and hybrid azure already joined devices now the reason behind that is azure led itself right but there is a way where you can have certificates deployed to the clients so that they can be uh marked as a trusted device if possible i'll try to create a video for this particular section as well but these are the three different states that can be checked for a specific access to be allowed or blocked last but not the least is app maintenance and onboarding access now you can actually define some of the users here to have the capability to go ahead and perform all the tasks which are moreover related to session controls or onboarding apps moreover related to all the app activities that can be you know that that's moreover related to either administration or governance you can actually come here and define those particular users so uh basically this is uh the purpose of each and every option that exists on mcas portal now depending upon the different features that i'm going to cover in the upcoming videos i'll i'll go deep but this is a video which is very required and which is very important obviously because there are certain things which i'm going to cover wherein i may use some of the settings as a reference point altogether so i hope with this video you have learned something new that can help you to understand mcas in a much better way altogether so let's talk about a quick summary uh we have discussed about all the settings that are available on mcas portal what is the purpose behind integration of mcas with different services like microsoft defender for identity endpoints azure led identity protection and azure information protection in the next video i'm just going to talk about how you can go ahead and investigate the shadow id insights which are getting generated by mcas so if you think that this channel is helping you to learn anything new please feel free to subscribe thank you so much thanks for your time and share this video with your technical community thank you bye

Info

Channel: Concepts Work

Views: 2,809

Rating: undefined out of 5

Keywords:

Id: z0vQOt_-qpk

Channel Id: undefined

Length: 29min 25sec (1765 seconds)

Published: Sat Apr 10 2021