Azure Sentinel is a cloud SIEM and SOAR. It is therefore used for the supervision of a customer environment, from which it...
Block web applications in Microsoft Cloud App SecurityLukas Beran
In addition to discovery, Microsoft Cloud App Security can actively interfere with communication. Through the integration of Microsoft Cloud App Security (MCAS) and Microsoft Defender Advanced Threat Protection, it is possible to block access to certain URLs or IP addresses.
The list of blocked addresses can be defined directly in Defender ATP Security Center through Indicators. More interesting is blocking through Microsoft Cloud App Security. MCAS policies simply block applications directly from a catalog of more than 16,000 known applications.
Cloud App Security and Defender ATP integration
For App Defender ATP blocking from Cloud App Security to work, you need to integrate Cloud App Security and Defender ATP. One part of the integration is enabled in Defender ATP Security Center under Settings – Advanced Features – Microsoft Cloud App Security. The second part is enabled in Cloud App Security under Settings – Microsoft Defender ATP – Block unsanctioned apps.
Blocking apps in Cloud App Security
In the Cloud App Security portal, we can find the application we want to block in the application catalog. There are currently over 16,000 applications in this catalog and more are coming. When we find the desired application, we can mark it as sanctioned or unsanctioned using the buttons on the right side. Unsanctioned applications are automatically blocked on end devices in Defender ATP.
On end devices with Defender ATP, when accessing a blocked address, Defender SmartScreen will display a warning that the address is blocked by the organization’s policy.
Automatically block apps in Cloud App Security
In addition to manually blocking applications described in the previous paragraph, automatic blocking is even more interesting. In Cloud App Security, you can create a rule that automatically blocks all applications based on a condition.
In Cloud App Security portal we can create new policy through Control – Policies – Create Policy – App discovery policy.
We name the new policy somehow and give a description of what the policy does. Then we set the conditions for blocking – what applications we want to block. For example, we can block all applications with a risk score of 3 or lower. Alternatively, we can block all apps from a category, such as social networks. Or we can block applications that do not meet some specific conditions from the risk score report, such as applications that do not meet some certification, non-GDPR, do not use a trusted certificate to secure communication, etc.
Integrating Defender ATP with Cloud App Security is very powerful. This makes it possible to block IP addresses and domain names directly on end devices. This makes it possible to increase the security of business equipment, but also to comply with certain legislative requirements. And because the blocking takes place directly on the end device, the blocking is also active outside the corporate network and it is not necessary to use various firewalls, proxies, blockers at the DNS level, etc.