Set up Cloud Discovery
Applies to: Microsoft Cloud App Security
Cloud Discovery analyzes your traffic logs against Microsoft Cloud App Security's cloud app catalog of over 16,000 cloud apps. The apps are ranked and scored based on more than 80 risk factors to provide you with ongoing visibility into cloud use, Shadow IT, and the risk Shadow IT poses into your organization.
Snapshot and continuous risk assessment reports
There are two types of reports you can generate:
Snapshot reports - Provides ad-hoc visibility on a set on traffic logs you manually upload from your firewalls and proxies.
Continuous reports - Analyze all logs that are forwarded from your network using Cloud App Security. They provide improved visibility over all data, and automatically identify anomalous use using either the Machine Learning anomaly detection engine or by using custom policies that you define. These reports can be created by connecting in the following ways:
- Microsoft Defender ATP integration: Cloud App Security integrates with Microsoft Defender Advanced Threat Protection (ATP) natively, to simplify rollout of Cloud Discovery, extend Cloud Discovery capabilities beyond your corporate network, and enable machine-based investigation.
- Log collector: Log collectors enable you to easily automate log upload from your network. The log collector runs on your network and receives logs over Syslog or FTP.
- Zscaler integration: If you work with both Cloud App Security and Zscaler, you can integrate the two products to enhance your security Cloud Discovery experience. Together, Cloud App Security and Zscaler provide seamless deployment of Cloud Discovery, automatic blocking of unsanctioned apps, and risk assessment directly in the Zscaler portal.
- iboss integration: If you work with both Cloud App Security and iboss, you can integrate the two products to enhance your security Cloud Discovery experience. Together, Cloud App Security and iboss provide seamless deployment of Cloud Discovery, automatic blocking of unsanctioned apps, and risk assessment directly in the iboss portal.
- Corrata integration: If you work with both Cloud App Security and Corrata, you can integrate the two products to enhance your security Cloud Discovery experience. Together, Cloud App Security and Corrata provide seamless deployment of Cloud Discovery, automatic blocking of unsanctioned apps, and risk assessment directly in the Corrata portal.
Log process flow: From raw data to risk assessment
The process of generating a risk assessment consists of the following steps. The process takes between a few minutes to several hours depending on the amount of data processed.
Upload – Web traffic logs from your network are uploaded to the portal.
Parse – Cloud App Security parses and extracts traffic data from the traffic logs with a dedicated parser for each data source.
Analyze – Traffic data is analyzed against the Cloud App Catalog to identify more than 16,000 cloud apps and to assess their risk score. Active users and IP addresses are also identified as part of the analysis.
Generate report - A risk assessment report of the data extracted from log files is generated.
Continuous report data is analyzed twice a day.
- Barracuda - Web App Firewall (W3C)
- Blue Coat Proxy SG - Access log (W3C)
- Check Point
- Cisco ASA with FirePOWER
- Cisco ASA Firewall (For Cisco ASA firewalls, it's necessary to set the information level to 6)
- Cisco Cloud Web Security
- Cisco FWSM
- Cisco IronPort WSA
- Cisco Meraki – URLs log
- Clavister NGFW (Syslog)
- Digital Arts i-FILTER
- Fortinet Fortigate
- iboss Secure Cloud Gateway
- Juniper SRX
- Juniper SSG
- McAfee Secure Web Gateway
- Microsoft Forefront Threat Management Gateway (W3C)
- Palo Alto series Firewall
- Sonicwall (formerly Dell)
- Sophos SG
- Sophos XG
- Sophos Cyberoam
- Squid (Common)
- Squid (Native)
- Websense - Web Security Solutions - Investigative detail report (CSV)
- Websense - Web Security Solutions - Internet activity log (CEF)
Cloud Discovery supports both IPv4 and IPv6 addresses.
If your log isn't supported, or if you are using a newly released log format from one of the supported data sources and the upload is failing, select Other as the Data source and specify the appliance and log you're trying to upload. Your log will be reviewed by the Cloud App Security cloud analyst team and you'll be notified if support for your log type is added. Alternatively, you can define a custom parser that matches your format. For more information, see Use a custom log parser.
The following list of supported appliances may not work with newly released log formats. If you are using a newly released format and the upload is failing, use a custom log parser and if required, open a support case.
Data attributes (according to vendor documentation):
|Data source||Target App URL||Target App IP||Username||Origin IP||Total traffic||Uploaded bytes|
|Cisco ASA (Syslog)||No||Yes||No||Yes||Yes||No|
|Cisco ASA with FirePOWER||Yes||Yes||Yes||Yes||Yes||Yes|
|Cisco Cloud Web Security||Yes||Yes||Yes||Yes||Yes||Yes|
|Cisco Ironport WSA||Yes||Yes||Yes||Yes||Yes||Yes|
|Clavister NGFW (Syslog)||Yes||Yes||Yes||Yes||Yes||Yes|
|SonicWall (formerly Dell)||Yes||Yes||No||Yes||Yes||Yes|
|Digital Arts i-FILTER||Yes||Yes||Yes||Yes||Yes||Yes|
|ForcePoint Web Security Cloud*||Yes||Yes||Yes||Yes||Yes||Yes|
|Palo Alto Networks||No||Yes||Yes||Yes||Yes||Yes|
|Websense - Investigative detail report (CSV)||Yes||Yes||Yes||Yes||Yes||Yes|
|Websense - Internet activity log (CEF)||Yes||Yes||Yes||Yes||Yes||Yes|
* Versions 8.5 and later of Forcepoint Web Security Cloud are not supported