Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security

Applies to: Microsoft Cloud App Security

Microsoft Cloud App Security integrates with Microsoft Defender Advanced Threat Protection (ATP) natively. The integration simplifies roll out of Cloud Discovery, extends Cloud Discovery capabilities beyond your corporate network, and enables machine-based investigation. Microsoft Defender Advanced Threat Protection (ATP) is a security platform for intelligent protection, detection, investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.

Microsoft Cloud App Security uses the traffic information collected by Microsoft Defender ATP about the cloud apps and services being accessed from IT-managed Windows 10 machines. The integration enables you to run Cloud Discovery on any machine in the corporate network, using public wifi, while roaming and over remote access. It also enables machine-based investigation.

After you identify a risky user, you can check all the machines the user accessed to detect potential risks. If you identify a risky machine, check all the users who used it to detect potential risks. Logs from your endpoints routed to Cloud App Security provide user information for traffic activities. Microsoft Defender ATP network activity provides device context. Pair device context with the username to provide a full picture across your network of which user did which activity from which machine.

Microsoft Cloud App Security uses the native integration with Microsoft Defender ATP to tap into data about cloud app and service traffic from managed Windows devices. The integration doesn't require any additional deployment and works out of the box. You don't need to route or mirror traffic from your endpoints or do complex integration steps.

Note

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Prerequisites

  • Microsoft Cloud App Security license
  • Microsoft Defender ATP license
  • Windows 10 version 1709 (OS Build 16299.1085 with KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions
  • Toggle on Preview features to enable this feature in Cloud App Security

How it works

On its own, Cloud App Security collects logs from your endpoints using either logs you upload or by configuring automatic log upload. Native integration enables you to take advantage of the logs Microsoft Defender ATP's agent creates when it runs on Windows and monitors network transactions. Use this information for Shadow IT discovery across the Windows machines on your network.

To enable you to perform Cloud Discovery across other platforms, it's best to use both the Cloud App Security log collector, along with Microsoft Defender ATP integration to monitor your Windows 10 machines.

How to integrate Microsoft Defender ATP with Cloud App Security

To enable integration with Cloud App Security from Microsoft Defender ATP:

  1. In the Microsoft Defender ATP portal, from the navigation pane, select Preferences setup.
  2. In the Settings menu, under General, select Advanced features.
  3. Toggle the Microsoft Cloud App Security to On.
  4. Click Save preferences.

Note

It takes up to two hours after you enable the integration for the data to show up in Cloud App Security.

WD ATP settings

Investigate machines in Cloud App Security

After you integrate Microsoft Defender ATP with Cloud App Security, you can investigate discovered machine data in the Cloud Discovery dashboard.

  1. In the Cloud App Security portal, click Cloud Discovery and then Cloud Discovery dashboard.

  2. In the top navigation bar, under Continuous reports, select Win10 endpoint users. WD ATP report

  3. Across the top, you'll see the number of discovered machines added after the integration.

  4. Click the Machines tab.

  5. You can drill down into each machine that's listed, and use the tabs to view the investigation data. Find correlations between the machines, the users, IP addresses, and apps that were involved in incidents:

    • Overview
      • Transactions: Information about the number of transactions that took place on the machine over the selected period of time.
      • Total traffic: Information about the total amount of traffic (in MB) over the selected period of time.
      • Uploads: Information about the total amount of traffic (in MB) uploaded by the machine over the selected period of time.
      • Downloads: Information about the total amount of traffic (in MB) downloaded by the machine over the selected period of time.
    • Discovered apps
      Lists all the discovered apps that were accessed by the machine.
    • User history
      Lists all the users who signed in to the machine.
    • IP address history
      Lists all the IP addresses that were assigned to the machine. Machines overview

As with any other Cloud Discovery source, you can export the data from the Win10 endpoint users report for further investigation.

Note

  • Defender ATP forwards data to Cloud App Security in chunks of ~4 MB (~4000 endpoint transactions)
  • If the 4 MB limit isn't reached within 1 hour, Defender ATP reports all the transactions performed over the last hour.
  • If the endpoint device is behind a forward proxy, the volume of traffic won't be visible to Microsoft Defender ATP and hence will not be included in Cloud Discovery reports. For more information, see Monitoring network connection behind forward proxy.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.