You can also see why particular apps are dangerous. If you wanted to know why a particular app received a score of two, you simply click on it in CASB and you can see the different categories Microsoft uses to determine the risk factor. This gives you an idea of how to assess where exactly the risks could be in a specific application and how to best sanction or unsanction the app.
At the far right, you can also use the circular icons to:
- Mark the app as monitored
- Override the app score entirely
- Add notes for other admins to read or edit the app details
Additionally, you can edit the app details and use this with conditional access app control to get a more real-time perspective into the usage of this app. Edit the details, hit save, and mark the app as monitored.
Afterwards, you get this prompt. A warning message is displayed to users upon accessing monitored apps.
You can click on the link and go into cloud app usage here. If you click on devices…
…you can now see which device is being used to access that application.
From there, you can drill into more specific information as to the traffic user history, IP address history, and get a general idea of what this application is doing in our environment, as well as view the information in Microsoft Defender for Endpoint.
Going back to the dashboard, go down to the discovered apps widget. You’ll notice that if you hover over it, you have the capability of tagging a specific application as sanctioned or unsanctioned, or you can create a new app discovery policy.
Now you can either choose a policy template or create a new policy from scratch. For example, you could create a policy that monitors any app you put into the monitored state or tag with monitored. Mark the severity as medium, put in a description, and add filters.
For example, the app tag filter. If the apps are monitored with the risk scores between zero and three, you can apply this to all continuous reports or a continuous report that we define. Since we recognize that this app was our highest traffic generator, you want to trigger a policy match for monitored apps with a risks score from zero to three and daily traffic is greater than 5,000 megabytes.
We can then create an alert for each matching event within the policy severity.
Another feature is you can send alerts to power automate, which allows you to create a playbook that will automate a response. For example, creating a blast to a specific team in Microsoft teams.
Finally, you can apply a governance action that tags the application with a sanction or unsanctioned or monitored, etc. Since this is a policy that is specific to a monitor app, we will leave that alone and then we’ll create.
Now we see our policy has been created and we can continue to edit the policy as we see fit or view all of the alerts that are generated by this policy.
This is a mid-level introduction to managing Shadow IT with Microsoft Defender for Cloud Apps. If you want to learn more about this process, you can read the eBook from Microsoft that talks more about everything we’ve talked about today.
EBOOK: Discover And Manage Shadow IT
You can also read more about Microsoft’s CASB in general in this Microsoft documentation.