Tutorial / Cram Notes
It is part of Microsoft’s Cloud App Security (MCAS), which enables organizations to discover, manage, and secure their cloud applications effectively. In the MS-101 Microsoft 365 Mobility and Security exam, it’s essential to understand how to review and respond to the issues identified by Cloud App Discovery.
Reviewing Issues in Cloud App Discovery
When reviewing the Cloud App Discovery data, IT admins should first familiarize themselves with the dashboard. The dashboard provides an overview of the cloud application usage in the organization, including the number of discovered apps, the amount of traffic to these apps, and the potential risks associated.
Discovery Dashboard Analysis
Here’s an overview of the main points of analysis within the MCAS dashboard:
- Discovered Apps: This is the list of apps that have been discovered by MCAS along with the risk score for each app, which is based on a set of criteria such as legal compliance and industry certifications.
- Traffic: Traffic data shows the volume of data exchanged between users and the cloud apps. This can help determine which apps are most used and potentially which ones hold most of the sensitive data.
- Users: Information about users accessing the cloud apps, the devices used, and risk levels involved.
- Alerts: Security alerts that are triggered by any unusual or risky user behavior.
Responding to the issues involves acting upon the information that has been discovered.
Responding to Identified Issues
Once issues have been identified through Cloud App Discovery, various responses might be appropriate, depending on the nature of the issue.
Set Policies and Controls
The first step is often to set up policies and controls around cloud application usage. This can include:
- App governance: Define which apps are sanctioned for use in the organization and under what conditions.
- Conditional Access Policy: Implement conditional access policies to govern how and when users can access cloud apps.
- Data loss prevention (DLP): Establish DLP policies to prevent sensitive information from being uploaded to or shared via unsanctioned apps.
Investigate Risky Apps
For discovered apps with a high-risk score, a deeper investigation is necessary to assess why these apps are being used and whether they should be sanctioned, monitored more closely, or even blocked.
Take Action on Non-compliant Use
When users are found to be using cloud apps in ways that aren’t compliant with company policies, it’s vital to address these behaviors immediately. Actions may include:
- User education: Sometimes, users aren’t aware that they’re using non-compliant apps and will change behavior once informed.
- Removing access: In some cases, access to certain apps may need to be revoked entirely.
Anomaly Detection and Alerts
Setting up anomaly detection policies helps in quickly pinpointing unusual behavior that could indicate a security threat. Responding to alerts as quickly as possible reduces potential risks to the organization.
Generate Reports
Reports are an essential element for documenting and managing cloud app usage. They provide proof of compliance for auditors and also help in strategic decision-making for IT and security investments.
Examples
Once an organization has implemented Cloud App Discovery, a report might illustrate that 250 cloud applications are in use, with only 50 sanctioned by IT. Further analysis could reveal that several high-risk apps are being used to store sensitive company data. The organization would then:
- Enforce policies to restrict access to these high-risk apps.
- Roll out an alternative sanctioned app that meets the users’ needs without compromising security.
- Educate users on the risks of unsanctioned apps and offer training on the approved alternatives.
Conclusion
The review and response to issues tied to Cloud App Discovery are critical for maintaining the security posture and compliance of an organization. Being able to analyze, interpret, and act upon the data in MCAS is a competency that is highly relevant to the MS-101 exam and, more importantly, to real-world application in the ever-evolving security landscape of Microsoft 365 Mobility and Security.
Practice Test with Explanation
True or False: Cloud App Discovery can be used to detect Shadow IT within an organization.
Answer: True
Explanation: Cloud App Discovery is a feature that helps organizations to uncover Shadow IT by identifying and reporting on cloud apps used by their employees.
Cloud App Discovery requires which of the following to function properly?
- A. Microsoft Azure subscription
- B. Microsoft 365 E5 subscription
- C. Agent installation on endpoints
- D. Firewall rule changes
Answer: C. Agent installation on endpoints
Explanation: To use Cloud App Discovery effectively, agents need to be installed on the endpoints to monitor and report on the cloud applications being accessed.
Which Microsoft service is integrated with Cloud App Discovery to provide enhanced visibility and control over cloud apps?
- A. Azure Active Directory
- B. Microsoft Defender for Endpoint
- C. Microsoft Cloud App Security
- D. Office 365 Advanced Threat Protection
Answer: C. Microsoft Cloud App Security
Explanation: Cloud App Discovery is integrated with Microsoft Cloud App Security, providing deeper insights and control over cloud app usage.
True or False: Cloud App Discovery can automatically block the use of unsanctioned applications.
Answer: False
Explanation: Cloud App Discovery identifies and provides insights on unsanctioned applications, but it does not block them automatically. It requires administrative action to enforce any restrictions or blocks.
Multiple Select: Which of the following types of data can Cloud App Discovery provide?
- A. The amount of data transmitted to cloud applications
- B. The users who are accessing specific cloud applications
- C. The geographic locations of cloud app usage
- D. The real-time content of transmitted data
Answer: A, B, C
Explanation: Cloud App Discovery provides information on the volume of data transmitted to cloud applications, the users accessing the apps, and geographic usage patterns; it does not provide the real-time content of the transmitted data.
What is the first step in responding to unsanctioned cloud app usage discovered by Cloud App Discovery?
- A. Block access to the app
- B. Notify users about the company policy
- C. Assess the extent of the usage and potential data exposure
- D. Remove the app from all user devices
Answer: C. Assess the extent of the usage and potential data exposure
Explanation: The initial step in responding is to assess the extent of the usage and potential data exposure, which will inform the subsequent steps.
True or False: Cloud App Discovery reports can only be accessed by the global administrator in Microsoft
Answer: False
Explanation: While the global administrator certainly has access, other roles, such as security administrators and compliance officers, may also have access to Cloud App Discovery reports, depending on their permissions.
In Microsoft 365, which admin role is required to configure Cloud App Discovery settings?
- A. Global admin
- B. Security admin
- C. Compliance admin
- D. User management admin
Answer: A. Global admin
Explanation: A user with the Global admin role in Microsoft 365 has the necessary permissions to configure Cloud App Discovery and other advanced security settings.
True or False: Cloud App Discovery can identify the risk level of discovered apps based on predefined criteria such as legal compliance and general app reputation.
Answer: True
Explanation: Cloud App Discovery, as part of the Microsoft Cloud App Security framework, can assess and assign a risk score to discovered apps based on compliance, reputation, and other factors.
When responding to issues identified by Cloud App Discovery, what action should be taken for apps without a direct business need?
- A. Implement continuous monitoring
- B. Provide user training for allowed apps
- C. Sanction the app
- D. Unsaction the app
Answer: D. Unsaction the app
Explanation: For apps that aren’t necessary for business and might pose a security risk or lead to data leaks, the best course of action is often to unsanction them.
True or False: You can set up email notifications in Cloud App Discovery to alert administrators when new cloud apps are detected.
Answer: True
Explanation: Cloud App Discovery allows the configuration of email notifications that alert administrators when new cloud apps have been detected in the environment.
Which component is crucial for the discovery capabilities in Microsoft Cloud App Security?
- A. Microsoft Intune
- B. Azure Information Protection
- C. Microsoft Defender for Identity
- D. Traffic logs from network appliances
Answer: D. Traffic logs from network appliances
Explanation: Traffic logs from network appliances like firewalls and proxies are crucial for Cloud App Discovery to analyze and provide insights into cloud applications in use within the organization.
Interview Questions
What is Cloud App Discovery?
Cloud App Discovery is a feature of Microsoft Cloud App Security that allows organizations to discover the cloud applications used in their network.
What type of information does Cloud App Discovery provide?
Cloud App Discovery provides information about the usage and risk of cloud applications in an organization, including the number of users, amount of data transferred, and user activities.
How can Cloud App Discovery be deployed?
Cloud App Discovery can be deployed in a number of ways, including via a virtual machine, Docker container, or as a cloud service.
What are some benefits of using Cloud App Discovery?
Some benefits of using Cloud App Discovery include gaining visibility into cloud app usage, identifying potential security risks, and improving compliance with data protection regulations.
How does Cloud App Discovery identify cloud applications in use?
Cloud App Discovery uses a combination of log analysis, network traffic analysis, and user feedback to identify cloud applications in use.
What is a discovered app query?
A discovered app query is a customizable search query that can be used to filter and sort the results of a Cloud App Discovery scan.
How can discovered app queries be used to investigate issues?
Discovered app queries can be used to investigate issues related to cloud application usage, such as identifying applications with high risk scores or unusual user activity.
What are some common issues that can be identified with Cloud App Discovery?
Common issues that can be identified with Cloud App Discovery include shadow IT, unsanctioned app usage, and data exfiltration.
How can organizations respond to issues identified by Cloud App Discovery?
Organizations can respond to issues identified by Cloud App Discovery by creating policies to block or restrict access to high-risk applications, educating users on proper usage of cloud applications, and implementing additional security controls as needed.
How often should organizations run Cloud App Discovery scans?
It is recommended that organizations run Cloud App Discovery scans at least once per quarter to maintain visibility into cloud application usage and identify potential risks.
Great post! Very helpful in understanding Cloud App Discovery.
How should we deal with unauthorized apps identified during Cloud App Discovery?
How accurate is Cloud App Discovery in identifying risky apps?
Can someone explain the best practices for using Cloud App Discovery?
How do you handle false positives in Cloud App Discovery?
Thanks for this informative article!
Is there a way to automate responses to identified issues in Cloud App Discovery?
What is the impact of Cloud App Discovery on network performance?