Detections
Analytics
5.13 Ensure Microsoft Defender for Cloud Apps is enabled and configured
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). It provides visibility into suspicious activity in Microsoft 365, enabling investigation into potential security issues and facilitating the implementation of remediation measures if necessary.Some risk detection methods provided by Azure AD Identity Protection also require Microsoft Defender for Cloud Apps:
Suspicious manipulation of inbox rules
Suspicious inbox forwarding
New country detection
Impossible travel detection
Activity from anonymous IP addresses
Mass access to sensitive files.
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
Rationale:
Security teams can receive notifications of triggered alerts for atypical or suspicious activities, see how the organization's data in Microsoft 365 is accessed and used, suspend user accounts exhibiting suspicious activity, and require users to log back in to Microsoft 365 apps after an alert has been triggered.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To connect Office 365 and Azure:Navigate to Microsoft Defender for Cloud Apps https://portal.cloudappsecurity.com/.
Select Investigate > Connected Apps.
In App connectors ensure Office 365 and Microsoft Azure are connected by selecting Connected an app and following the wizard.
In Security configuration apps ensure Microsoft Azure is connected by selecting Connected an app and following the wizard.
Connect any additional apps the organization might use.
To connect Microsoft Defender for Cloud Apps to other Microsoft tools:
Go to the Settings gear located in the top right near the question mark.
Go to Threat Protection > Azure AD Identity Protection and enable the integration.
Go to Threat Protection > Microsoft Defender for Identity and enable the integration.
Go to Cloud Discovery > Microsoft Defender for Endpoint and enable the integration.
Go to Information Protection > Files and enable file monitoring.
NOTE: Creating an instance of Microsoft Defender for Identity may result in an error regarding existing security groups. To resolve Microsoft recommends deleting groups from Azure Active Directory, after verifying they are empty. These groups are below:
Azure ATP {Unique} Administrators
Azure ATP {Unique} Users
Azure ATP {Unique} Viewers
Default Value:
Disabled
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E5 L2 v2.0.0
References: CSCv7|6.2, CSCv7|16
Plugin: microsoft_azure
Control ID: 54518af06bc8502993cce19188a84937f2a4235b1b0d054b03986b81ba87b1ec