Microsoft Defender Cloud Apps
Configuration requirements
To run this collector, there are some configurations detailed below that you need to consider.
Configuration | Details |
---|---|
Microsoft Defender account | You need to have a Microsoft Defender account active. |
Microsoft Azure account | You need to have a Microsoft Azure account to register your app. |
Application Secret Key | You will need to create an application secret key in Microsot Azure. |
More information
Refer to the Vendor setup section to know more about these configurations.
Overview
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services.
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Flattening preprocessing |
|
Data sources
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
---|---|---|---|---|---|
Activity | Return information regarding who logs in to which app and when, which files are being downloaded from suspicious locations, and so on. |
|
|
|
|
Alerts
| Alerts indicate suspicious behavior and known threats in your environment. |
|
|
|
|
Entities
| Entities provides you with basic information about the users and accounts using your organization's cloud apps, allowing you to understand service use patterns. |
|
|
|
|
Data Enrichment
| Data Enrichment enables you to manage identifiable IP address ranges, such as your physical office IP addresses. IP address ranges allow you to tag, categorize, and customize the way logs and alerts are displayed and investigated. |
|
|
|
|
Files | Files provides you with metadata about the files and folders stored in your cloud apps, such as last modification date, ownership, and more. |
|
|
|
|
Flattening preprocessing
Data source | Collector service | Optional | Flattening details |
---|---|---|---|
Alerts |
|
| The easiest way to describe the flattening logic is via an example. If: base_event = {
"id": "baseEventId1",
"type": "alert"
}
args[0] = {
"type": "domain",
"should_flatten": True,
"value": [
{ "id": 1, "name": "domain1" },
{ "id": 2, "name": "domain2" }
]
}
args[1] = {
"type": "user",
"should_flatten": True,
"value": [
{ "id": 1, "name": "user1" },
{ "id": 2, "name": "user2" },
{ "id": 3, "name": "user3" }
]
} The assumptions are:
In the above example, a total of 6 events will be generated (because there are 2 domains and 3 users).
{
"id": "baseEventId1",
"type": "alert",
"related_domains": 2,
"related_users": 3
}
{
"id": "baseEventId1", # This is from the base event
"type": "alert", # This is from the base event
"related_domains": 2, # This is the number of related domains in total
"related_users": 3, # This is the number of related users in total
"domain_id": 1, # This is the "id" field from a domain, with "domain_" prepended to it
"domain_name": "domain1", # This is the "name" field from a domain, with "domain_" prepended to it
"user_id": 1, # This is the "id" field from a user, with "user_" prepended to it
"user_name": "user1" # This is the "name" field from a user, with "user_" prepended to it
} |
Vendor setup
There are some minimum requirements that are needed in order to set up this collector.
Accepted authentication methods
Authentication method | Client ID | Tenant ID | Client Secret | Files Access Token |
---|---|---|---|---|
Azure Authentication for the following services:
| REQUIRED | REQUIRED | REQUIRED |
|
Azure Authentication for Files service: | REQUIRED | REQUIRED | REQUIRED | REQUIRED |
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check the settings section for details.
Setting | Details |
---|---|
| This parameter is the URL of the CloudApps instance. |
| Set up here your access token created in the CloudApps console. |
| Set up here your tenant id created in the CloudApps console. |
| Set up here your client id created in the CloudApps console. |
| Set up here your client secret created in the CloudApps console. |
| Only for Files service Set up here your access token Value created in the CloudApps console. |
Running the data collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Events service
Collector operations
This section is intended to explain how to proceed with the specific operations of this collector.
Change log for v1.x.x
Release | Released on | Release type | Details | Recommendations |
---|---|---|---|---|
| Oct 28, 2022 | NEW FEATURE | New features: Released first version of Microsoft Defender Cloud Apps Collector with the following services:
|
|