Detections
Analytics

5.13 Ensure Microsoft Defender for Cloud Apps is enabled and configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). It provides visibility into suspicious activity in Microsoft 365, enabling investigation into potential security issues and facilitating the implementation of remediation measures if necessary.

Some risk detection methods provided by Azure AD Identity Protection also require Microsoft Defender for Cloud Apps:

Suspicious manipulation of inbox rules

Suspicious inbox forwarding

New country detection

Impossible travel detection

Activity from anonymous IP addresses

Mass access to sensitive files.

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

Rationale:

Security teams can receive notifications of triggered alerts for atypical or suspicious activities, see how the organization's data in Microsoft 365 is accessed and used, suspend user accounts exhibiting suspicious activity, and require users to log back in to Microsoft 365 apps after an alert has been triggered.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To connect Office 365 and Azure:

Navigate to Microsoft Defender for Cloud Apps https://portal.cloudappsecurity.com/.

Select Investigate > Connected Apps.

In App connectors ensure Office 365 and Microsoft Azure are connected by selecting Connected an app and following the wizard.

In Security configuration apps ensure Microsoft Azure is connected by selecting Connected an app and following the wizard.

Connect any additional apps the organization might use.

To connect Microsoft Defender for Cloud Apps to other Microsoft tools:

Go to the Settings gear located in the top right near the question mark.

Go to Threat Protection > Azure AD Identity Protection and enable the integration.

Go to Threat Protection > Microsoft Defender for Identity and enable the integration.

Go to Cloud Discovery > Microsoft Defender for Endpoint and enable the integration.

Go to Information Protection > Files and enable file monitoring.

NOTE: Creating an instance of Microsoft Defender for Identity may result in an error regarding existing security groups. To resolve Microsoft recommends deleting groups from Azure Active Directory, after verifying they are empty. These groups are below:

Azure ATP {Unique} Administrators

Azure ATP {Unique} Users

Azure ATP {Unique} Viewers

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/benchmarks/10751

Item Details

References: CSCv7|6.2, CSCv7|16

Plugin: microsoft_azure

Control ID: 54518af06bc8502993cce19188a84937f2a4235b1b0d054b03986b81ba87b1ec