Day 10 #100DaysOfCloud
Microsoft Cloud App Security is a Cloud Access Security Broker. It discovers and provides visibility into users’ app usage, identifies anomalous behaviour and controls access.
In line with last weeks post regarding SIEM integration, I wanted to explore MCAS to show what’s available out of the box.
Both Azure AD Premium P1 and P2 come with access to MCAS. If you use Premium P1, functionality is limited to Discovery only, whereas Premium P2 (included in M365 E5) has the full functionality we’ll be exploring in this series of posts.
Privileged Security Roles
Configuring MCAS requires Global Admin or Compliance Admin roles.
Networking and Access
In order to send data to the cloud service, devices or endpoints in the organisation will need to be able to reach specific web services. Specific IP addresses and DNS names are provided here
To access MCAS, open Edge and visit the MCAS Portal. You’ll start with your MCAS Dashboard.
Configuring MCAS Settings
The default settings are good to start with. To take a look at the available options, head to the Settings cog (top right).
Enabling Information Protection
The Files setting option allows you to enable MCAS to view files in SaaS apps.
MCAS provides quite a few template policies out of the box.
In this section, I’ll enable a policy that will detect a mass download by a single user.
For example if a user downloads 10 files in 1 minute, that could be considered suspicious. MCAS allows us to respond to that activity in a number of ways.
If the activity is detected, we can respond in the following ways:
Trying it out… some prerequites
There are some prerequisites to testing out this policy. Firstly, we need to make sure that the app we’re looking to monitor is connected or onboarded to MCAS.
Trying it out…
In this demonstration, my test user downloads a heap of files from Sharepoint
Within a few minutes, an activity appears in MCAS
Investigate and Respond
With the activity being reported to the MCAS dashboard, I am able to take a more indepth look at what happened
By clicking Resolution Options near the top, I can opt to view some more informaiton about the user, activity, or perform a Governance action.
In this instance, I’ll choose to require the user to sign in again, which gives the following warning:
This action takes about a minute to complete, showing the following progress icon whilst it works.
Once complete, Lee’s download-marathon is interupted:
Automating the response
Whilst it’s useful to be able to respond to this type of activity manually, it would be a good idea to set up the automated governance actions available in the policy. If you aren’t sure that the activity would always warranty a governance response, then modify the policy such that it would warrant a governance response. For example, rather than a policy that detects 10 downloads in 1 minute, create one that detects 50 downloads in 1 minute, which automatically forces a fresh sign-in.
As you can see, Microsoft Cloud App Security (MCAS) is a must-have for all cloud-enabled organisations.