Skip to main content

πŸ“ Microsoft Defender For Cloud Integration With Microsoft Defender For Cloud Apps is not enabled 🟒

  • Contextual name: πŸ“ Integration With Microsoft Defender For Cloud Apps is not enabled 🟒
  • ID: /ce/ca/azure/subscription/integration-with-microsoft-defender-for-cloud-apps
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-8a1ecfd01

Logic​

Description​

Open File

Description​

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.

Rationale​

Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license.

Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.

Impact​

Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.

Audit​

From Azure Portal​
  1. From Azure Home select the Portal Menu.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Select the subscription.
  5. Select Integrations.
  6. Check Allow Microsoft Defender for Cloud Apps to access my data.
  7. Select Save.

From Azure CLI​

Use the below command to set Allow Microsoft Defender for Cloud Apps to access my data:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscription_ID>/providers/Microsoft.Security/settings/MCAS?api-version=2021-06-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below:

{
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/settings/MCAS", 
    "kind": "DataExportSetting", 
    "type": "Microsoft.Security/settings", 
    "properties": { 

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16a vulnerability and threat management;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16e security testing, including penetration testing;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16f information security reporting and analytics;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36g vulnerability management controls β€” which identify and address information security vulnerabilities in a timely manner;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36j monitoring controls β€” for timely detection of compromises to information security;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36k response controls β€” to manage information security incidents and feedback mechanisms to address control deficiencies;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term β€˜potential’ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73a detection of an information security event through the use of automated sensors and manual review;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73b identification and analysis to determine if it is an incident or an event;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73d containment to minimise the damage caused, and reduce the possibility of further damage;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73e eradication which involves the removal of the source of the information security compromise (typically malware);1010
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected - Level 2 (Manual)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 2.10 Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 2.1.21 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Level 2 (Manual)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.1.1.2 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Microsoft Defender Configuration26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62126
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)226
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.16.1.2 Reporting information security events910
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated3033
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria2023
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-3: Information is shared consistent with response plans1617
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-03: Information is shared with designated internal and external stakeholders17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1820