Blocking access to Cloud apps by integrating Microsoft Cloud App Security with Microsoft Defender Advanced Threat Protection

Microsoft has quietly introduced the option to automatically block connections to unsanctioned cloud apps from the Microsoft Cloud App Security (MCAS) console. This is accomplished by integrating MCAS with Microsoft Defender Advanced Threat Protection (MDATP).

Based on the information available in Cloud App Security, the app’s domains are used to create domain indicators in the Microsoft Defender ATP portal. Within Windows Defender the Exploit Guard Network Policy option is used to block the access to the URLs. This will eventually result in the following notification sent to the user.

Windows 10 Notification

In this blog post I will explain how to setup this functionality when Microsoft Intune is used and what the behavior is within Windows 10. This assumes that you are licensed for both MCAS and MDATP, in my case by using a Microsoft365 E5 license.

  1. Setting up the necessary options in the Microsoft Defender Security Center
  2. Setting up a Device Configuration Policy to enable Exploit Guard Network filtering Microsoft Intune in audit mode
  3. Configuring Microsoft Cloud App Security (MCAS)
  4. Testing Network Filtering in audit mode on Windows 10
  5. Modifying the Device Configuration Policy to enable Network filtering

Setting up the necessary options in the Microsoft Defender Security Center

We have to start with setting up the connection between the Microsoft Defender Security Center and MCAS. This can be accomplished by turning the Microsoft Cloud App Security setting to “On” under Advanced features. 

Microsoft Defender Security Center Settings General Data retention Alert notifications Power Bl reports Advanced features permissions Roles Machine groups APIs SIEM Rules Custom detections Alert suppression Indicators Automation allowed/blocked lists Automation uploads Automation folder exclusions Machine management Admin_lnsight24@insight24... on on on on on on Azure Integration Retrieves enriched user and machine data from Azure ATP and forwards Microsoft Defender ATP signals, resulting in better visibility, additional detections, and efficient investigations across both services. Forwarded data is stored and processed in the same location as your Azure ATP data. Office 365 Threat Intelligence connection Connects to Office 365 Threat Intelligence to enable security investigations across Office 365 mailboxes and Windows machines, For more information, see the Office 365 Threat Intelligence overview, Microsoft Cloud App Security Forwards Microsoft Defender ATP signals to Cloud App Security, giving administrators deeper visibility into both sanctioned cloud apps and shadow IT, It also gives them the ability to block unauthorized applications when the custom network indicators setting is turned on, Forwarded data is stored and processed in the same location as your Cloud App Security data, This feature is available With an license for Enterprise Mobility + Security on machines running Windows 10 version 1709 (OS Build 16299, 1085 With KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with 04489899) or later Windows 10 versions. Azure Information Protection Forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. Forwarded data is stored and processed in the same location as your Azure Information Protection data. This feature is available With and a or E5 license for Enterprise Mobility + Security on machines running Windows 10, version 1809 or later. Microsoft connection Connects to Microsoft Intune to enable sharing Of device information and enhanced policy enforcement. Intune provides additional information about managed devices for secure score. It can use risk information to enforce conditional access and Other security policies. Preview features
Enable Microsoft Cloud App Security integration

Next we need to enable the Custom network indicators as well, this setting can also be found under Advanced features.

On Custom network indicators Configures machines to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists. To use this feature, machines must be running Windows 10 version 1709 or later. They should also have netvuork protection in block mode and version 4.18.1906.3 or later of the antimalware platform (see KB 4052623). Note that network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.
Enable custom network indicators

Setting up a Device Configuration Policy to enable Exploit Guard Network filtering Microsoft Intune in audit mode

In order to enable network filtering on our Windows 10 devices with MDATP configured, we are going to define a Device Configuration policy in Microsoft Intune which we will target to our Windows 10 Devices. We will do this in audit mode first and test the outcome on one of our Windows 10 machines.

H«ne - Confgwation Create profile - W10 platfon•n • Windows 10 later Endsmint prot«tim Settings Configure O æla:ted o Rule(s) configured Endpoint Vi Endpoint protection SeQt a Qtegory to configwe 10 milable milable sma 2 settings available 40 settings available 21 2 settings available Gun. setting available sæie,• 18 milable 46 settings available 5 settings available plo it Guard filtering Microsoft Defender Exploit Guard Surface 15 settings available settings available filtering 1 milable 3 Network filtering Block outtwd 'mm any app to IP/don-.in TWs un abl«i in mxie Netmrk O Audit
Create Device Configuration Policy in Microsoft Intune

Microsoft provides guidelines on how to enable this option using other products like ConfigMgr and Group Policy, this is described in the following article: Enable network protection

Configuring Microsoft Cloud App Security (MCAS)

The first thing we need to do is enable the Cloud app control option in MCAS, this can be done from the Cloud app control section under settings.

Cloud App Security Settings Q Search System Organization details Mail settings Export settings 19 Automatic sign out Cloud Discovery Score metrics Snapshot reports Continuous reports Automatic log upload App tags Exclude entities Cloud app control user enrichment Anonym ization Delete data Threat Protection Cloud app control with Microsoft Defender Advanced Threat Protection Cloud app control allows you to block endpoints With Microsoft Defender Advanced Threat Protection. Block unsanctioned apps and domains with Microsoft Defender Advanced Threat Protection. Enabling this Will block endpoint access to cloud apps marked as unsanctioned in Cloud App Security. Save Secure your data as described in our privacy Statement,
Enable Cloud app control

Edit April 2020: Cloud app Control is now called Microsoft Defender ATP, from here you have the option to enabled “Block unsanctioned apps”

Update April 2020: Section is now called Microsoft Defender ATP

In our example we are going to block access to iTunes, the screenshot details that iTunes has been unsanctioned in our Cloud App Security portal.

Cloud App Security Cloud Discovery Dashboard QUERIES Select a query... Browse by category: Q Search for News and entertainment Continuous report Win 10 Endpoint Users • Timeframe Last 30 days. Updated on Jan 16. 2020 Discovered apps APPS itunes App IP addresses Score APP TAG O Traffic 11 MB Users None RISK SCORE Machines Users 2 COMPLIANCE RISK FA... Select factors„. Save as Actions V Advanced SECURITY RISK FACTO. Select factors... - 1 of 1 discovered apps New policy from search Machines iTunes 8 234 KB Transacti 8 Jan 6, 2020
Unsanction iTunes in the Cloud App Security portal

Testing Network Filtering in audit mode on Windows 10

In order to start testing the network filtering in Windows 10, we first need to make sure that the Device configuration policy set in Microsoft Intune has landed on our test device. Once set, we can find the following entry in the Windows Defender eventlog.

Event 507, Windows Defender General Details Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Windows Defender Exploit Guard\Network Protection\EnabIeNetworkProtection New value: Defender\PoIicy Manaqer\Windows Defender Exploit GuardNNetwork Protection\EnabIeNetworkProtection Ox2 Log Name: Source Event ID: OpCode More Information: Microsoft-Windows-Windop,s Defender,operational Windo'.% Defender Information SYSTEM Info kygnt.Lga.Qnling.Hg12 Logged: 17/01/2020 Task Category: None Computer: DESKTOP-KOM3CB
EventID 5007 in the Windows Defender Eventlog

Once we start iTunes on our Windows 10 test device, we see EventID 1125 appear, detailing that the destination https://init.itunes.apple.com would have been blocked by the Network policy.

Event 1125, Windows Defender General Details Your IT administrator would have caused Windows Defender Exploit Guard to block a potentially dangerous network connection. Detection time: 2020-01-17T12: 1852.604Z User. s. 1 1929916352 Destination: httQv.'.'init RQQle cnm Process Name: iTunes.exe Log Name: Source Event ID: OpCode More Information: Microsoft-Windows-Windop,s Defender,operational Defender 1125 Information SYSTEM Info kygnt.Lga.Qnling.Hg12 Logged: 17/01/2020 Task Category: None Computer: DESKTOP-KOM3CB
EventID 1125 in the Windows Defender Eventlog

Modifying the Device Configuration Policy to enable Network filtering

Now that we tested the Network filtering policy in audit mode, we are ready to enable the Network protection by modifying our earlier created Device Configuration Policy.

Network filtering outbound conr«tion trom any app to Ic•n reputation IP/domain This can be enabled in Audit/EIock mode, Leam more O äable
Enable Network protection

Network filtering behavior after Network protection is enabled

Once we modified the Device Configuration policy, it’s best to trigger a synchronization on our Windows 10 device so that the device configuration policy becomes active.

This will be reflected by EventID 5007 in the Windows Defender eventlog, detailing that Network

Event 507, Windows Defender General Details Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value. Defender\PoIicy Manaqer\Windows Defender Exploit Guard\Network Protection\EnabIeNetworkProtection Ox2 New value. Defender\PoIicy Manaqer\Windows Defender Exploit GuardNNetwork Protection\EnabIeNetworkProtection Oxl Log Name: Source ID: OpCode More Information: Microsoft-Windows-Windop,s Defender,operational Defender Information SYSTEM Info kygnt.Lu.Qnling.Hg12 Logged: 17/01/2020 132646 Task Category: None Computer: DESKTOP-KOM3CB
EventID 5007 in the Windows Defender Eventlog

If we start iTunes now, we receive the following notification

Windows Defender notification in Windows 10

If you don’t receive a notification, it might be that you need to enable notifications first

Windows Security Home Virus & threat protection Account protection Firewall & network protection App & browser control Device security Device performance & health Family options Setf ngs Q Notifications Windows Security will send notifications with critical information about the health and security of your device. You can specify which informational notifications you want. Virus & threat protection notifications Get informational notifications on Recent activity and scan results Threats found, but no immediate action is needed Files or activities are blocked Virus & threat protection settings Account protection notifications Get account protection notifications on Problems with Windows Hello Problems with Dynamic lock Firewall & network protection Have a question? Get help Help improve Windows Security Give us feedback Change your privacy settings View and change privacy settings for your Windows 10 device. Privacy settings Privacy dashboard Privacy Statement
Enable notification for Windows Defender

The corresponding entry in the Windows Defender eventlog is EventID 1126 now detailing that the network connection has been blocked.

Event 1126, Windows Defender General Details Your IT administrator has caused Windows Defender Exploit Guard to block a potentially dangerous network connection. Detection time: 2020-01-17T1227:S0053Z user: S- 1-12-1-1620780166-1164677675-3462653358-1929916352 Destination: it. process Name: \iTunesexe Log Name: Source: Event ID: Level: User: OpCode: More Information: Microsoft Windows-Windows Defender,operational Windows Defender 1126 SYSTEM Info Event Log Online Help Logged: 17/01/2020 132750 Task Category: None Kepvords: Computer: DESKTOP-KOM3CB
EventID 1126 in the Windows Defender Eventlog

You will also notice that you’ll start receiving errors in the iTunes application itself, an example below:

File Edit Song View Controls Account Help Music Library iTunes For You Browse Radio Store iTunes could not connect to the iTunes Store, An unknown error occurred (0*80090326)_ Make your network connection is active and try again. iTunes Store
Error in iTunes

From the Microsoft Defender Security Center we can now see the following Alert appear which gives us central control about all our unsanctioned cloud apps.

Microsoft Defender Security Center @ Security operations > Connection to a blocked cloud application was... Connection to a blocked cloud application was detected This alert is part of incident (3) Actions v Automated investigation is not applicable to alert type @ Custom TI Alert context desktop-6com3cb azuread\kennethvansurksum Low Suspicious Activity Custom Tl Status State: Classification: Assigned to: Admin_lnsight24@insight24... New Not set Not assigned Severity: Category: Detection source: Description First activity: Last activity: 17.01.2020 17.01.2020 Endpoint had established a connection with a risky cloud application itunes.apple.com. This connection was classified as risky according to your organization Microsoft Cloud App Security administrator. You can view the respective indicator under the URLs/Domain tab or from within the Microsoft Cloud App Security portal. Recommended actions A. Validate the alert and scope the suspected breach. 1. Find related machines, netvuork addresses, and files in the incident graph. 2. Check for other suspicious activities in the machine timeline. 3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures. Show more Alert process tree O Alert process tree is not available for this alert This alert is related to I other event not displayed here. Last event time is 17.012020 12:18:52. Click here to see all related events in the machine timeline.
Alerts in the Microsoft Defender Security Center

Conclusion

Cloud app control is a very welcome addition to the MCAS portfolio, even though Microsoft provided integration with 3rd party solution in order to block network connections in the past, having a direct integration and being able to block cloud app usage directly from the MCAS portal is a really nice solution.

It would be nice though to also be able to block the actual execution of the application on the client as well, by being able to automatically create Applocker policies or configure Device Guard. Perhaps in the future, time will tell.

References

Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security – https://docs.microsoft.com/en-us/cloud-app-security/wdatp-integration

Sanctioning/unsanctioning an app – https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery#BKMK_SanctionApp

Create indicators for IPs and URLs/domains (preview) – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-ips-and-urlsdomains-preview

Enable network protection – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection

Evaluate network protection – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection

Enable network protection in audit mode – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#enable-network-protection-in-audit-mode

Windows 10 Device Guard Versus AppLocker – https://www.petri.com/windows-10-device-guard-versus-applocker

10 thoughts on “Blocking access to Cloud apps by integrating Microsoft Cloud App Security with Microsoft Defender Advanced Threat Protection

  1. Greate article :hearteyes:. Unfortunatly i’m having mixed success with this 🙁

    Running: Office E3 licenses, on prem domain joined Windows 10 – 2004 (19041.113) and Windows 10 – 1909 (18363.693) Machines are not Intune-managed.
    App in question: Discordapp.com (Action in Cloud App Security: Unsanctioned-tag)
    Cloud App Security and Microsoft Defender Security Center are integrated, and data flow between the two.

    All things turned on under “Advanced features” in Microsoft Defender Security Center.

    PowerShell: EnableNetworkProtection set to Enabled (1/Block mode)

    Using Microsoft Edge (80.0.2361.66) visting discordapp.com gets the blocked message with Microsoft Defender SmartScreen.
    Using any other browser, or running app on one of the two test computeres, things fly past Microsoft Defender.

    Any thoughts on what I’m missing (or misunderstanding)?

    Reply

    1. Hi Peter,

      I have no idea, I do see that you use another setup compared to mine.. what edition of Windows 10 are you running for example? (ENT or PRO?) – it must be related to something in that area i’m afraid.

      Please let me know, hope I can help you out from there

      /Kenneth

      Reply

  2. We integrated Defender ATP with Cloudapp Security and data is visible on the Cloud Discovery Dashboard. But within CAS/Settings no entry can be found to Cloud App Control!! Unsanctioning an app doesn’t seem to work. Within Defender ATP all settings are correct, incl Custom Network indicators. Network Filtering is in audit mode.
    Do you have any idea why we can’t access Cloud App cControl within CAS?

    Reply

    1. Hi Marc,

      The Cloud app Control section is now called Microsoft Defender ATP, from here you have the option to enabled “Block unsanctioned apps” – I modified the article to reflect this change.

      Regards,
      Kenneth

      Reply

      1. Hello Kenneth,
        Thanks for your reply, but I also don’t have an entry called Microsoft Defender ATP. We’re using the latest version of Cloudapp Security.

        Regards, Marc

        Reply

        1. Hi Marc,

          What kind of License do you have? It must be license related then – For the functionality described in my blog posting a M365 E5 license was used.

          Regards, Kenneth

          Reply

          1. Hello Kenneth,
            We use E3-licenses combined with separate ATP and CAS-licenses. So it should be sufficient.

            Regards Marc

          2. Should be sufficient indeed – Did you enable the integration from the MDATP security center? And how long ago was that? If you followed my steps exactly, then you should probably log a call with Microsoft on this.

            Sorry for not being able to help you out directly..

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.