Microsoft Sentinel – Insights of Defender for Cloud Apps Data Connector

What’s Cloud Discovery?

Cloud Discovery, which is one of the Microsoft Defender for Cloud Apps (MDA) features, helps organizations to identify applications and user activities, traffic volume, and typical usage hours for each cloud application. In a nutshell, it can help to detect “Shadow IT” applications and possible risky applications end-users are using.

If you want to have more understanding of how Cloud Discovery works in MDA and information how you can leverage MDA when controlling access to the apps I encourage to read my earlier blogs about the topic:

• Deep Dive into Cloud App Discovery
• Extending MCAS Cloud Discovery into the Managing of Shadow IT

Data Connector in Sentinel

In Microsoft Sentinel ‘Defender for Cloud Apps’ data connector settings, there are two (2) data sources that can be ingested to Microsoft Sentinel, ‘Alerts’ and ‘Cloud Discovery’. In this blog, I will share insights on how the data connector should be configured and what’s the technical reason underneath the hood, and also the benefit to have the Cloud Discovery data in Sentinel.

Guidance Configuring Data Connector

On the docs.microsoft.com guidance, there is the following statement:

Integrating with your SIEM is accomplished in two steps:

1. Set it up in Defender for Cloud Apps (MDA).
2. Set it up in Microsoft Sentinel.

I see some improvement on the document and there isn’t any explanation about the different scenarios and why the configuration is needed. Let’s look up configurations in Sentinel & Defender for the Cloud Apps side.

Sentinel

In Sentinel, you can configure ‘Defender for Cloud Apps’ data connector ‘Alerts’ & ‘Discovery logs’ as seen in the picture below. The Difference between Alerts & Cloud Discovery is that the latter one brings the Shadow It data from MDA to Sentinel.

As seen, only ‘Cloud Discovery’ is available for configuration. The reason for this is the ‘M365 Defender’ data connector. If you have connected ‘M365 Defender’ data connector enabled bi-directional sync is enabled between Sentinel and Microsoft 365 Defender.

If M365 Defender is enabled, underneath the hood all other MDx data connectors are activated time and alerts are flowing to Sentinel from M365D.

Defender for Cloud Apps (MDA)

On the MDCA side go to the ‘Security Extensions – SIEM agents’ and add Sentinel as an agent with the required parameters. If there would be a need to filter what Cloud Discovery data (based on data feeds) will be sent to Sentinel it’s possible through the wizard.

When the SIEM agent is added, it will stay as created status until MDCA receives data from Cloud Discovery data sources (MDE, firewalls, or proxy).

Side note: if data ingestion is active at the MDA end it will take approximately 15min before you’ll be seeing data in Sentinel or to be precise in the underlying Azure Log Analytics workspace.

Troubleshooting

MDA Data Connector is in error state

Lately, I’ve seen this situation in some of the environments I’m working with (the root cause is unknown). If the SIEM agent is “disconnected” naturally Cloud Discovery data is not being ingested to Sentinel. It’s easy to fix but often gets overlooked than data connectors in general. My suggestion is to monitor the health of the data connectors from Sentinel point of view. It’s complicated task but doable.

• Monitor Azure Sentinel Data Connectors Health
• Monitor the health of your data connectors

How to fix

What needs to be done is:

• Validate SIEM agent configuration by opening it in edit mode and re-configure the same settings than earlier in the wizard
• Verify data ingestion is successful from MDE, FW or proxy, whatever you use
• Verify data connector settings in Sentinel side
• Verify data ingestiong from ‘McasShadowItReporting’ table in Log Analytics

Use Cases for Cloud Discovery Data

Having Cloud Discovery data in Microsoft Sentinel provides advantages to create rules and visualize the data. Cloud Discovery in Defender for Cloud Apps (MDA) provides useful tools already but in Sentinel, you can play with the raw data.

Built-in workbook

With a built-in workbook, you can visualize the data and identify easily for example unsanctioned applications and users who have been using (or trying to use) prohibited applications in your environment.

The same data is already found from MDA where you can create alerts based on the application score, amount of traffic, and users. In general, MDA offers multiple possibilities to configure policies around Cloud Discovery.

In Sentinel, you can create hunting queries based on your needs, here are a few samples.

//Find devices & identities from last 30 days who have more than 10MB of traffic to an App which score is 4 or below
McasShadowItReporting
| where TimeGenerated > ago(30d)
| where AppScore <= 4
| where TotalBytes >= 10000000
| project TimeGenerated, MachineName, MachineId, TotalBytes, DownloadedBytes, EnrichedUserName, AppName, AppCategory

//Summarize traffic from last 30 days based on user & device identity, showing traffic as MBs
McasShadowItReporting
| where TimeGenerated > ago(30d)
| summarize TrafficUpload = sum(UploadedBytes)/1048576, TrafficDownload = sum(DownloadedBytes)/1048576 by EnrichedUserName, MachineName
| order by TrafficUpload, TrafficDownload

References

How to integrate Defender for Cloud Apps to Sentinel

Deep Dive into Defender for Cloud Apps

Monitor Sentinel Data Connector Health