Securing and monitoring Office 365 using Office 365 Cloud App Security

Cloud App Security provides visibility on client connectivity and notifies us for any suspicious activity, Office 365 Cloud App Security is available in Office 365 Enterprise E5 License, so if you are using E5 license, its best to set up and monitor the cloud app security, you need to be either Global Admin or Security Administrator to manage the Cloud App Security, or you must have security reader rights for monitoring purpose.

You can get to the Office 365 Cloud App Security portal through the Office 365 Security & Compliance Center. Here's one good way to do it:
  1. Go to https://protection.office.com and sign in using your work or school account for Office 365. (This takes you to the Security & Compliance Center.)
  2. In the Security & Compliance Center, choose Alerts > Manage advanced alerts.
  3. If Office 365 Cloud App Security is not yet enabled, and you are a global administrator, turn on Office 365 Cloud App Security.)
Choose Go to Office 365 Cloud App Security.



Office 365 Cloud App Security have multiple predefined policies and several templates for activity monitoring. 

These policies are designed to detect general anomalies, identify users logging in from a risky IP address, detect ransomware activities, detect administrator activities from non-corporate IP addresses, and more.

Below is one of example from my testing, where it showed the suspicious activity from the Tor IP, in the event I can see the Source IP, username and the application which was accessed, so now I can quickly take an appropriate action probably reset the password and review access permissions and investigate the issue further.



So it seems to be pretty useful to secure your Office 365 environment, there are many many more sophisticated predefined policies in the Office 365 Cloud app security which will alert the admins to take appropriate action, below are the few highlighted.
Apart from Office 365, you can also integrate with your on-premise security information and event management (SIEM) server, and generate reports.

As in the recent past, there has been an increase in the phishing attack and several cases of branches has been reported, so it is suggested that office 365 admins utilize this tool and make it part of your daily monitoring routine. 

For more information on the O365 Cloud App Security, please go through the link below. 
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-cas-overview

Comments