Using Microsoft Defender for Identity with Microsoft Cloud App Security

This article is designed to help you understand how Microsoft Defender for Identity functionality is represented in the Microsoft Cloud App Security portal.

Leveraging existing on-premise detections and abnormal behavior analytics, accessing Defender for Identity using the Microsoft Cloud App Security portal provides the ability to detect and alert on sensitive data exfiltration across your enterprise. This hybrid offering analyzes activity and alerts based on User and Entity Behavior Analytics (UEBA) to determine risky behaviors, and provides an investigation priority score to streamline your incident response for compromised identities.

In this article you'll learn:

  • Service overview
  • New ways to access Defender for Identity
  • Licensing prerequisites
  • Where to find Defender for Identity tracked activities in Cloud App Security

Service overview

Integrating with Defender for Identity, the Cloud App Security portal provides alerts and insights from:

  • Microsoft Cloud App Security, which identifies attacks within a cloud session, covering not only Microsoft products but also third-party applications
  • Microsoft Defender for Identity, which uses machine learning and behavioral analytics to identify attacks across your on-premises network
  • Azure Active Directory Identity Protection, which detects and proactively prevents user and sign-in risks to identities in the cloud

Prerequisites

For complete user investigation features across the hybrid environment, you must have:

  • A valid license for Microsoft Cloud App Security
  • A valid license for Microsoft Defender for Identity connected to your Active Directory instance

Note

  • If you don't have a subscription for Cloud App Security, you will still be able to use the Cloud App Security portal to investigate Defender for Identity alerts and deep dive on users and their on-premise managed activities, but you won't receive related insights from your cloud applications.
  • Defender for Identity administrators may require new permissions to access Cloud App Security. To learn how to assign permissions to Cloud App Security, see Manage admin access.

See Defender for Identity integration to learn how to quickly enable Defender for Identity in Cloud App Security.

Defender for Identity in Cloud App Security

See the Cloud App Security quickstart to familiarize yourself with the basics of using the Cloud App Security portal.

Alerts

Defender for Identity alerts are displayed within the Cloud App Security Alerts queue. Additional alert filtering options are available only when viewing alerts using Cloud App Security. Defender for Identity alerts are filtered using the application filter to Active Directory.

Alert management

When using Defender for Identity with Cloud app security, closing alerts in one service won't automatically close them in the other service. More specifically, closing alerts in Cloud App Security won't close them in Defender for Identity, but closing alerts in Defender for Identity will synchronize the closure in Cloud App Security. Decide where to manage and remediate alerts to avoid duplicated efforts.

SIEM notification

If both your services (Defender for Identity and Cloud App Security) are currently configured to send alert notifications to a SIEM, after enabling Defender for Identity integration in Cloud App Security, you'll start to receive duplicate SIEM notifications for the same alert. One alert will be issued from each service and they'll have different alert IDs. To avoid duplication and confusion, decide where you intend to perform alert management, and then stop SIEM notifications being sent from the other service.

Activities

Defender for Identity alerts are displayed within the Cloud App Security Activity log. Additional activity filtering options and features are available only when viewing alerts using Cloud App Security. See Defender for Identity activities using Microsoft Cloud App Security to learn how to filter and create new activity policies.

User pages

User pages contain the Investigation Priority Score of each user and an activity log of all actions.

To access a user page of a system user:

  1. Open Alerts from the main menu.
  2. Select and filter the alerts queue for a specific user by using the User Name field.

or

  1. From the Investigate menu, select Activity log.

  2. Filter the Activity log queue by user.

    Activity log

Join the Community

Do you have more questions, or an interest in discussing Defender for Identity and related security with others? Join the Defender for Identity Community today!