The last blog I wrote was about how to detect suspicious OAuth applications from Azure AD with Cloud App Security. Now it’s time to dig deeper and see what other capabilities Microsoft Cloud App Security (referred to MCAS) offers for monitoring suspicious activity around applications.

High Privileged Permissions

Many productivity apps that are registered to an organization might request permission to access the user information and data, also sign-in on-behalf of the user in other cloud apps, such as O365. When users register these apps, they often click accept without reviewing the details in the prompt, including granting permissions to the app.

For scenario above Microsoft Cloud App Security (MCAS) offers multiple options to get information in matter of alerts when new and possible high privileged apps are added to an organization’s directory.

In the example below, I look for OAuth apps with high privileged permissions from my tenant and want to have an alert from it via email and SMS.

Rule 1 – High Privileged App

If you want to have a more sophisticated rule you can add “community use” filter to identify whether permissions to the app are common, uncommon or rare. As Microsoft documentation states “This filter can be helpful if you have an app that’s rare and requests permission that has a high severity level or requests permission from many users”.

OAuth app policy
Community use filter

Rule 2 – OAuth Has Specific Permission

With this rule I can define exact permissions I search from the environment. In this specific rule, I search for certain permissions (offline_access & permissions to calendar)

Alert 1 – High Privileged App

Here I have multiple permissions based alerts from same app.

Further investigation can be made from the alert details page where the following details are available (among others):

  • App permissions
  • Users who are using the app
  • App publisher
  • Related activities from Activity Log

SMS alert

Alert 2 – New OAuth App With High Permissions

After “Feta-Marketing” app was added to my tenant, four (4) users have granted the consent (which they can in my environment) for the app. Because of consent grant & app permissions policy, I received the following alerts to MCAS and SMS related to this alert.

Further investigation shows the users and high privileged permissions app “Feta-Marketing” has.

For mitigation, I recommend that you check my earlier blog post.

Discover Suspicious Activity

Suspicious activity is included in the Activity policies group. With the Activity policies, Cloud App Security can detect suspicious activity from tenant such as:

  • User tries to sign in and fails xx times in one minute
  • User download 1000 files
  • User is logged in from the country where the organization doesn’t have a branch office, such as Afganistan

In my environment, I have configured four (4) activity policies

Let take a closer look at the admin activity policy. In Azure AD Conditional Access settings I have defined “Trusted locations” and also using that same setting in Cloud App Security where my office IP-address ranges are defined with a tag “Corporate”.

I’m allowing admin access only from corporate IP-addresses (currently don’t have CA control in place to make this happen). For that reason, I want to have an alert in place if admin activity is happening outside my corporate IP-addresses.

I’m using the built-in template “Administrative activity from non-corporate location” and have configured corporate IP-addresses beforehand to MCAS settings.

Alert – Suspicious Activity

The investigation of the alert is shown as suspicious activity, admin activity from a non-corporate IP address. This alert is created because I defined earlier corporate IP address ranges and logging now from the non-corporate IP address.

The second alert I received was “login from risky IP address”

Detailed information about the event from the alert itself

Actual event data from Activity Log

New UEBA SecOps tool shows that my admin account is a high- risk user and I should definitely pay attention what the heck this user is doing in my environment;)

Detect New Applications via Cloud App Discovery

The App Discovery policy could be useful to send an alert when a new app is detected from the logs. Regarding my experience, this feature requires Cloud Discovery part in use which in practically requires firewall log integration.

In my environment policy is configured with the following settings:

  • New “Popular App Policy” template used
  • Policy severity – high
  • No filters applied
  • In template user limit is 500 – I changed this to 3 to get alert sooner
  • Governance – I add a custom tag for such app if one is detected

Templates available at time of writing are:

  • New popular app
  • New high volume app
  • New high upload volume app
  • New risky app
  • Cloud storage app compliance check
  • Collaboration app compliance check
  • CRM app compliance check
  • New cloud storage app
  • New collaboration app
  • New online meeting app
  • New CRM app
  • New HR management app
  • New sales app
  • New code hosting app
  • New vendor management system apps

Alert – New Applications

To make this happen MCAS needs to have Cloud Discovery integration in place. Even I have cloud discovery data in use and I can find my new popular app from the search for some reason I didn’t receive an alert from it. So, if you know how to configure this one reach me out. I really would like to see this working.

I tried discovery policy with New Popular App & Risky App policy templates but without success.

Summary

Cloud App Security offers extremely useful investigation capabilities for organization’s security teams. Current capabilities together with new UEBA SecOps offers better visibility of what’s really happening underneath the hood in the environment.

That ends the monitoring part. The next study is all about MCAS session controls.

References

SecOps Investigation Tool

Cloud Discovery Policies

Until next time!