If you are running Microsoft Office 365, someone is probably out to get you.
One way to investigate questionable Office 365 and other cloud sign-in activity is to use Microsoft’s Cloud App Security add on. To enable Cloud App Security, you must have an E5 license or purchase the Cloud App Security add-on.
To enable the alerts and monitoring capabilities, log onto the Office 365 Security and Compliance portal or the Microsoft Cloud App Security website. Browse to “Alerts” and click on “Manage advanced alerts” to review the options you have and what Cloud App Security monitors.
You can also add a module that monitors for Office 365 sign-in security (called Office 365 Cloud App Security) or Microsoft Cloud App Security, which monitors other cloud applications as well. Both can be added on to an existing Office 365 subscription.
What Microsoft Cloud App security does
Cloud App Security performs the following functions:
- Discover and control the use of shadow IT: It helps to identify cloud applications and other cloud services used in your organization that you didn’t authorize. You can review and investigate usage patterns against more than 80 identified risks.
- Protect sensitive information anywhere in the cloud: You can pull in other cloud services logging and then better understand how your data is being used and shared to other applications. Several default policies and processes allow you to review real-time access in various cloud applications.
- Protect against cyberthreats and anomalies: Unusual activities across cloud applications can be identified to monitor for ransomware, compromised users or rogue applications; analyze high-risk usage; and remediate automatically to limit the risk to your organization.
- Assess the compliance of your cloud apps: Use Cloud App Security to review compliance in other cloud applications. It allows you to prevent data leaks to non-compliant apps and limit access to regulated data.
Once you enable Cloud App Security and the monitoring of Office 365 and Azure, you can either use the default alerts or set up custom alerts. The default alerts include:
- Leaked credentials
- Unusual file download by user
- Multiple failed login attempts
- Malware detection
- Activity from infrequent country
- Unusual administrative activity (by user)
- Impossible travel
- Unusual file deletion activity (by user)
- Activity from anonymous IP addresses
- Unusual impersonated activity (by user)
- Ransomware activity
- Unusual file share activity (by user)
- Activity from suspicious IP addresses
- Activity performed by terminated user
- Suspicious inbox forwarding
- Data exfiltration to unsanctioned apps
- Multiple delete VM activities
- Suspicious inbox manipulation rule
- Risky sign-in
- Cloud Discovery anomaly detection
For example, “Impossible travel” reviews your setup and triggers alerts when activities are detected from a user in different locations within a time period that is shorter than the expected travel time between the two locations. Detecting this anomalous behavior necessitates an initial learning period of seven days, during which the app learns a new user’s activity pattern.
How to create custom policies in Cloud App Security
You can create a custom policy that builds on existing policies of access, activity, file, OAuth application, sessions or anomalies. Start by clicking on “Custom alerts”, and then choose the type of custom alert you want to set. You can built an alert from an existing template or leave it blank to build a totally custom alert.
If you want to block logins from geographic regions, click on “Create policy” and then on “Activity policy”. Leave the Policy template as “No template” and describe your custom policy. In this example I’ll use GeoBlocking. Set the policy severity to “High”, and then in the Category section choose “Threat detection”.
In “Create filters for the policy”, select “Act on single activity”. In “Activities matching all the following”, select “Filter” and then choose “Location”. Choose to create an alert and send the alert as text message or email. You can also send the alert to a flow playbook. Then click on the cloud applications you want (most likely Office 365) and choose to suspend user or require the user to log in again. The filters you can use to set up alerts are limited to those items exposed by the Cloud App Security platform.
You’ll also want to connect your major cloud applications so that you can monitor them as well. For example, you can add access to Amazon Web Services, Box, Cisco Webex, Dropbox, G Suite, Okta and Salesforce. The service then uses the APIs of each cloud application to monitor the security and activities of the cloud platform.
Some cloud applications support the full abilities of Cloud App Security; others offer a limited ability or will support the full ability later. It’s recommended to set up a special administrator account for each application that you want to pull into Cloud App Security. At minimum, enable Azure and Office 365 to alert you to any malicious activity toward your 365 accounts.
Microsoft Cloud App Security can also alert you to other breaches from your cloud applications that you use on a regular basis. For example, it alerted me that there was a breach in a service that I used and thus I may want to take remedial action such as changing passwords.
In the alerts section, you can also review what applications your users can access that you weren’t aware of.
Microsoft Cloud Application Security is a powerful tool that you can add to your identification and detection arsenal.