Cloud App security Integrated with defender ATP


This article is related to another article in the integration of MTP products

Window Defender ATP (MDATP) integration with Advanced threat protection services

And for more configuration you can go to

CAS integration with MDATP

MDATP (Microsoft defender advanced threat Protection)

MCAS (Microsoft Cloud app security)

In this article we will talk about MCAS integration with MDATP real case scenario

This is a case on the MDATP

The following view from MDATP alerts

And the alerts is showing there are number of computers having alert (connection to custom network) under the category of initial access (The adversary is trying to get into your network)

Which is phishing techniques

As mentioned in the initial access definition


Detection source and category

Category is initial access

Detection is Custom TI


You can review the matrix on the following link

Enterprise Matrix


And the following is the file graph

The Graph tells the story of the cybersecurity attack

Incident graph


As you can see in the delivery phase of the cyber Kill chain

The outlook was used as the channel for receiving a malware as attachment

And the following is showing that the file was trying to use a web site but it was blocked

You can read more about the Microsoft Cyber kill chain And Disrupting the kill chain used by Microsoft Advanced threat protection systems


In further investigation it was blocked by MCAS source

As it is considered as unsanctioned application and was blocked by cloud app security

The following is how to configure the unsanctioned apps

Sanctioning/unsanctioning an app


Just make sure to configure it as mentioned here

CAS integration with MDATP




The cloud app security is using the MITRE matrix for the categorizing of threats

knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Enterprise Matrix

for more

understand what ATT&CK is and why MITRE created it


 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.