In this post I explore how to integrate Defender for Endpoint with Defender for Cloud Apps natively without having to go through much effort.
Why would you want to do this? Once traffic information is collected by Defender for Cloud Apps, you can analyse what Cloud Apps your users are accessing, including details such as website address, IP, user and device name.
Defender for Cloud Apps takes advantage of capabilities to block endpoint device access to Cloud Apps. Cloud Apps can include any application or website accessed over the Internet, for example, Office 365 and websites such as social media sites. For example, you may want to identify commonly used risky cloud storage and collaboration websites your users may be using and unsanction (block access). Defender for Cloud Apps helps you manage over 31,000 apps by assessing risk factors provided by Microsoft to ensure compliance. If a Cloud App does not meet security and compliance requirements, you can unsanction the app. This is basically shadow IT and mitigation, allowing you to block the use of unauthorised Cloud Apps in your organisation with a click of a button.
Pre-requisites
- Microsoft Defender for Cloud Apps license
- Microsoft Defender for Endpoint with Plan 2 OR Microsoft Defender for Business with a premium or standalone license.
- Windows 10 version 1709 (OS Build 16299.1085 with KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 and Windows 11 versions.
- Enable Microsoft Defender Antivirus:
There are number of configuration options we must enable before the data we require from our user devices is visible within Defender for Cloud Apps.
- Access the Microsoft Defender XDR portal at security.microsoft.com
- From the left pane, click settings.
3. Click Endpoints
4. Click Advanced features
5. Scroll down to Microsoft Defender for Cloud Apps and enable this option.
6. From the left pane, click Settings again
7. Click Cloud Apps
8. Under Cloud Discovery, click Microsoft Defender for Endpoint
9. Enable enforce access. Once you discover and unsanction unauthorised Cloud Apps, users will not be able to access them and will receive a warning. You can also set up additional alerting options as required, such as redirecting the users to a custom web page of your choice when a website/cloud app is blocked.
10. Click Settings > Endpoints > Advanced features, and then select Custom network indicators. This allows you to leverage Microsoft Defender Antivirus network protection capabilities to block access to URLs using Defender for Cloud Apps.
11. Click Yes to confirm.
It can take up to 2 hours before information is passed from the endpoints to Defender for Cloud Apps
12. Access Defender for Cloud Apps (security.microsoft.com) and click Cloud Discovery from the left pane as shown in the image below.
13. Once the data is visible in Defender for Cloud Apps, a new report similar to the one below should be visible. The report shown in the image below is named Win10 Endpoint Users.
14. In the Win10 Endpoint Users report, some statistics start to become visible. Click Discovered apps.
15. We can see a list of Cloud Apps being accessed by users. There is not much going on as I only have one Windows 10 machine and one user that I used for this demo.
Each Cloud App/website is assessed against a catalog of built in Cloud Apps. The Microsoft Defender for Cloud AppsĀ catalogĀ page provides a list of over 31,000 discoverable Cloud Apps. Defender for Cloud Apps discovery analyses your traffic logs from your Windows 10 and 11 devices to give you ongoing visibility into Cloud use, shadow IT, and risks posed to your organisation. Defender for Cloud Apps rates each website/cloud app risk based on regulatory certification, industry standards, and best practices.
16. We can dig deeper and check the users and IP addresses tab.
17. All Cloud Apps accessed by my demo users are ok from a risk score point of view, but let’s assume that I wanted to prevent my users from, accessing Dropbox or other websites. I could unsanction, block access to the Cloud App.
Note: unsanctioning a Cloud App blocks access for the whole organisation. However, you can create custom App tags which can be based on include and exclude. You can then select to exclude or include certain devices. For example, block access to social media sites for all devices apart from marketing user devices.
18. Once I click unsanction, a list of drop box url’s are added to a blocked list known as Indicators. These can be viewed by clicking settings from the left menu > Endpoints and then scroll down to Indicators as shown in the image below.
19. You’ll find that as part of unsanctioning Dropbox, a number of urls are added automatically by Defender for Cloud Apps, such as dropbox.com, dropbox.jp, dropboxbusiness.com and more. You could also manually add website addresses you wish to block from user devices.
Note: it can take a few hours, sometimes up to 24 hours before the changes are synced to Defender for Endpoint.
20. We can also unsanction Cloud Apps from the catalog of over 30,000 built in apps. From the left pane click Cloud App catalog.
21. I filter to display all Cloud Apps with a risk score of zero. Change the filter as per your requirements using the risk score option shown in the image below.
A total of 321 apps (at the time of writing) with a risk score of 1 appear from the catalog.
22. Let’s click the first one in the list, torrentz.cl
Clicking the app, provides me with some useful information including app security and compliance details. This could be really useful as I may only want my users accessing apps which meet ISO 27001 and ISO 27018 compliance.
I could also check if my users are using this app and if yes, I could decide to unsanction (block) or even monitor access. If a Cloud App is tagged as monitored, a message will appear notifying the users that this cloud app/website is being monitoring.
23. After the indicators have synced to Defender for Endpoint (This could take a few hours, sometimes up to 24 hours), I launch Edge browser and access dropbox.com, I receive a blocked message. An alert is also logged in the Defender portal to inform administrators that a user attempted to access an unsanctioned (blocked) website/cloud app.
Message: This website is blocked by your organization. Contact your administrator for more information.
and that’s it. I hope you found the post useful.
See you at the next post