This article is related to another article in the integration of MTP products
Window Defender ATP (MDATP) integration with Advanced threat protection services
And for more configuration you can go to
MDATP (Microsoft defender advanced threat Protection)
MCAS (Microsoft Cloud app security)
In this article we will talk about MCAS integration with MDATP real case scenario
This is a case on the MDATP
The following view from MDATP alerts
And the alerts is showing there are number of computers having alert (connection to custom network) under the category of initial access (The adversary is trying to get into your network)
Which is phishing techniques
As mentioned in the initial access definition
Detection source and category
Category is initial access
Detection is Custom TI
You can review the matrix on the following link
And the following is the file graph
The Graph tells the story of the cybersecurity attack
As you can see in the delivery phase of the cyber Kill chain
The outlook was used as the channel for receiving a malware as attachment
And the following is showing that the file was trying to use a web site but it was blocked
You can read more about the Microsoft Cyber kill chain And Disrupting the kill chain used by Microsoft Advanced threat protection systems
In further investigation it was blocked by MCAS source
As it is considered as unsanctioned application and was blocked by cloud app security
The following is how to configure the unsanctioned apps
Sanctioning/unsanctioning an app
Just make sure to configure it as mentioned here
The cloud app security is using the MITRE matrix for the categorizing of threats
knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
for more
understand what ATT&CK is and why MITRE created it
