Microsoft Defender for Cloud Apps¶
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytical insight to identify and combat threats across all cloud services.
Warning: Due to latency of telemetry availability in the API, there is a 24 hour delay for ALL telemetry from this source.
Data Types¶
- MICROSOFT_CASB
Configuration - Option One¶
Azure App Prerequisite
For this integration, an Azure App must be created. More information can be found about how to do that in the documentation here.
Requirements¶
- In the Cyderes Azure App, select API permissions from the sidebar
- Then click the Add a permission button
- Click APIs my organization uses and search for 'Defender for Cloud Apps' and then select it
- If 'Defender for Cloud Apps' cannot be found, search for 'Microsoft Cloud App Security' (the former name of the product) and select it
- Click the Application permissions
- Click the check box next to the following permissions
-
Once the permissions have been added, ensure that admin consent has been granted for each by clicking Grant admin consent for ACCOUNT
-
Investigation.read
Discovery.read
Refer to Microsoft's Docs for more information.
Gather Information¶
Provide the following information to Cyderes to complete implementation:
- Identity (Azure Active Directory App)
- Application (client) ID
- Directory (tenant) ID
- Secret ID
- Secret Value
Configuration - Option Two¶
- Deploy a Microsoft-provided Java program into the environment that will pull logs from Microsoft Defender for Cloud Apps using a "Generic SIEM Integration" See Microsoft documentation here
- The Java program will push the logs to the Cyderes API via the CYCLOPS forwarder running in the environment CYCLOPS installation instructions found here
- CYDRERES will provide a port number
- Create firewall rules to allow HTTPS traffic to and from Microsoft Defender for Cloud Apps to the server hosting the Java program