Cloud Discovery 原則Cloud Discovery policies

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

本文概述如何開始使用 Cloud App Security,以使用 Cloud Discovery 來讓您的組織在影子 IT 中取得可見度。This article provides an overview of how to get started using Cloud App Security to gain visibility across your organization into Shadow IT using Cloud Discovery.

Cloud App Security 可讓您探索及分析組織環境中使用的雲端應用程式。Cloud App Security enables you to discover and analyze cloud apps that are in use in your organization's environment. Cloud Discovery 儀表板會顯示在環境中執行的所有雲端應用程式,並依功能和企業就緒程度進行分類。The Cloud Discovery dashboard shows all the cloud apps running in the environment and categorizes them by function and enterprise readiness. 針對每個應用程式,探索相關聯的使用者、IP 位址、機器、交易,並進行風險評估,而不需要在您的端點裝置上安裝代理程式。For each app, discover the associated users, IP addresses, machines, transactions, and conducts risk assessment without needing to install an agent on your endpoint devices.

偵測到新的大量或寬型應用程式使用 Detect new high-volume or wide app use

偵測高度使用的新應用程式,以使用者人數或您組織中的流量數量為限。Detect new apps that are highly used, in terms of number of users or amount of traffic in your organization.

必要條件Prerequisites

設定自動記錄檔上傳以進行連續 Cloud Discovery 報表,如 設定自動記錄檔上傳以進行連續報告中所述。Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports.

步驟Steps

  1. 在 [ 原則 ] 頁面上,建立新的 應用程式探索原則On the Policies page, create a new App discovery policy

  2. 在 [ 原則範本 ] 欄位中,選取 [ 新的大量應用程式 ] 或 [ 新增常用應用程式 ] 並套用範本。In the Policy template field, select New high volume app or New popular app and apply the template.

  3. 自訂原則篩選準則以符合您組織的需求。Customize policy filters to meet your organization's requirements.

  4. 設定觸發警示時要採取的動作。Configure the actions to be take when an alert is triggered.

注意

每個未在過去90天內探索到的新應用程式,會產生一次警示。An alert is generated once for each new app that was not discovered in the last 90 days.

偵測到新的具風險或不符合規範的應用程式使用Detect new risky or non-compliant app use

在不符合安全性標準的雲端應用程式中偵測可能的組織暴露情形。Detect potential exposure of your organization in cloud apps that do not meet your security standards.

必要條件Prerequisites

設定自動記錄檔上傳以進行連續 Cloud Discovery 報表,如 設定自動記錄檔上傳以進行連續報告中所述。Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports.

步驟Steps

  1. 在 [ 原則 ] 頁面上,建立新的 應用程式探索原則。On the Policies page, create a new App discovery policy.

  2. 在 [ 原則範本 ] 欄位中,選取 [ 新增具風險的應用程式 ] 範本,並套用範本。In the Policy template field, select the New risky app template and apply the template.

  3. 符合下列所有條件的應用程式 下,設定 風險分數 滑杆和合規性風險因素來自訂您要觸發警示的風險層級,並將其他原則篩選器設定為符合您組織的安全性需求。Under App matching all of the following set the Risk Score slider and the Compliance risk factor to customize you are the level of risk you want to trigger an alert, and set the other policy filters to meet your organization's security requirements.

    1. 選擇性:若要取得更有意義的偵測,請自訂將會觸發警示的流量量。Optional: To get more meaningful detections, customize the amount of traffic that will trigger an alert.

    2. 如果在 同一天發生下列所有情況,請檢查觸發程式是否符合原則: 核取方塊。Check the Trigger a policy match if all the following occur on the same day checkbox.

    3. 選取超過 2000 GB (或其他) 的 每日流量Select Daily traffic greater than 2000 GB (or other).

  4. 設定觸發警示時要採取的治理動作。Configure governance actions to be taken when an alert is triggered. 在 [ 治理] 下,選取 [將 應用程式標記為待批准]。Under Governance, select Tag app as unsanctioned.
    當符合原則時,將會自動封鎖對應用程式的存取。Access to the app will be automatically blocked when the policy is matched.

  5. 選用:利用安全 Web 閘道的 Cloud App Security 原生 整合來封鎖應用程式存取。Optional: Leverage Cloud App Security native integrations with Secure Web Gateways to block app access.

偵測待批准商務應用程式的使用Detect use of unsanctioned business apps

您可以偵測員工何時繼續使用待批准 apps 來取代已核准的商務就緒應用程式。You can detect when your employees continue to use unsanctioned apps as a replacement for approved business-ready apps.

必要條件Prerequisites

步驟Steps

  1. 在雲端應用程式類別目錄中,搜尋您的商務就緒應用程式,並使用 自訂應用程式標籤來標示。In the Cloud app catalog, search for your business-ready apps and mark them with a custom app tag.

  2. 依照 [偵測 新的大量應用程式使用量] 中的步驟執行。Follow the steps in Detect new high volume or wide app usage.

  3. 新增 應用程式標記 篩選器,然後選擇您為商務就緒應用程式所建立的應用程式標籤。Add an App tag filter and choose the app tags you created for your business-ready apps.

  4. 設定觸發警示時要採取的治理動作。Configure governance actions to be taken when an alert is triggered. 在 [治理] 下,選取 [將 應用程式標記為待批准]。Under Governance, select Tag app as unsanctioned.
    當符合原則時,將會自動封鎖對應用程式的存取。Access to the app will be automatically blocked when the policy is matched.

  5. 選用:利用安全 Web 閘道的 Cloud App Security 原生 整合來封鎖應用程式存取。Optional: Leverage Cloud App Security native integrations with Secure Web Gateways to block app access.

偵測網路上的異常使用模式Detect unusual usage patterns on your network

偵測異常流量使用模式 (在您的雲端應用程式中上傳/下載) ,其源自于組織網路內的使用者或 IP 位址。Detect anomalous traffic use patterns (uploads/downloads) in your cloud apps, that originate from users or IP addresses inside your organization's network.

必要條件Prerequisites

設定自動記錄檔上傳以進行連續 Cloud Discovery 報表,如 設定自動記錄檔上傳以進行連續報告中所述。Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports.

步驟Steps

  1. 在 [ 原則 ] 頁面上,建立新的 Cloud Discovery 異常偵測原則On the Policies page, create a new Cloud Discovery anomaly detection policy.

  2. 在 [ 原則範本 ] 欄位中,選取探索 到的使用者中的異常行為探索到的 IP 位址中的異常行為In the Policy template field, select Anomalous behavior in discovered users or Anomalous behavior in discovered IP addresses.

  3. 自訂篩選準則以符合您組織的需求。Customize the filters to meet your organization's requirements.

  4. 如果您只想要在發生涉及具風險應用程式的異常狀況時收到警示,請使用 風險分數 篩選器,並設定應用程式被視為有風險的範圍。If you want to be alerted only when there are anomalies involving risky apps, use the Risk score filters and set the range in which apps are considered risky.

  5. 使用滑杆來 選取異常偵測敏感度Use the slider to Select anomaly detection sensitivity.

注意

建立連續記錄檔上傳之後,異常偵測引擎需要幾天的時間,直到基準 (學習期間) ,才會針對您組織中的預期行為建立。After continuous log upload is established, the anomaly detection engine takes a few days until a baseline (learning period), is established for the expected behavior in your organization. 建立基準之後,您會根據使用者或 IP 位址的雲端應用程式之間的預期流量行為,開始接收警示。After a baseline is established, you start receiving alerts based on discrepancies from the expected traffic behavior across cloud apps made by users or from IP addresses.

偵測資料遭到外泄以待批准儲存體應用程式Detect data exfiltration to unsanctioned storage apps

偵測使用者遭到外泄到待批准雲端儲存體應用程式的潛在資料。Detect potential data exfiltration by a user to an unsanctioned cloud storage app.

必要條件Prerequisites

設定自動記錄檔上傳以進行連續 Cloud Discovery 報表,如 設定自動記錄檔上傳以進行連續報告中所述。Configure automatic log upload for continuous Cloud Discovery reports, as described in Configure automatic log upload for continuous reports.

步驟Steps

  1. 在 [ 原則 ] 頁面上,編輯內建的原則 資料遭到外泄以待批准應用程式On the Policies page, edit the built-in policy Data exfiltration to unsanctioned apps.

  2. 選取 [篩選 應用程式] 類別 等於 [ 雲端存放裝置]。Select the filter App category equals Cloud storage.

  3. 選取此核取方塊,以 針對每個符合原則嚴重性的事件建立警示Select the checkbox to Create an alert for each matching event with the policy's severity.

  4. 設定觸發警示時要採取的動作。Configure the actions to take when an alert is triggered.

偵測具風險的 OAuth 應用程式Detect risky OAuth apps

針對安裝在 G Suite、Office 365 和 Salesforce 等應用程式內的 OAuth 應用程式 取得可見度和控制權。Get visibility and control over OAuth apps that are installed inside apps like G Suite, Office 365, and Salesforce. 要求高許可權且具有罕見使用的 OAuth 應用程式可能會被視為有風險。OAuth apps that request high permissions and have rare community use might be considered risky.

必要條件Prerequisites

您必須使用 應用程式連接器來連接 G Suite、Office 365 或 Salesforce 應用程式。You must have the G Suite, Office 365, or Salesforce app connected using app connectors.

步驟Steps

  1. 在 [ 原則 ] 頁面上,建立新的 OAuth 應用程式原則On the Policies page, create a new OAuth app policy.

  2. 選取篩選器 應用程式 ,並設定原則應涵蓋的應用程式、G Suite、Office 365 或 Salesforce。Select the filter App and set the app the policy should cover, G Suite, Office 365, or Salesforce.

  3. Select 許可權等級 篩選器等於 (適用于 G Suite 和 Office 365) 。Select Permission level filter equals High (available for G Suite and Office 365).

  4. 將篩選器 群組的使用 等於 罕見Add the filter Community use equals Rare.

  5. 設定觸發警示時要採取的動作。Configure the actions to take when an alert is triggered. 例如,針對 Office 365,請檢查原則所偵測到之 OAuth 應用程式的 [撤銷應用程式]For example, for Office 365, check Revoke app for OAuth apps detected by the policy.

注意

支援 G Suite、Office 365 和 Salesforce app store。Supported for G Suite, Office 365, and Salesforce app stores.

後續步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.