Therefore, below you will find the top 3 use cases that we recommend most customers set up in the area of data exfiltration. We know this can make it challenging to identify standard policies that can help most customers. This policy profiles your environment and triggers alerts when users perform multiple impersonated activities in a single session with respect to the baseline learned, which could indicate an attempted breach.īest practices and recommended custom policiesĪs you know, the sky is the limit when it comes to configuring custom policies in MCAS. This policy profiles your environment and triggers alerts when users perform multiple administrative activities in a single session with respect to the baseline learned, which could indicate an attempted breach. This policy profiles your environment and triggers alerts when users perform multiple failed login activities in a single session with respect to the baseline learned, which could indicate an attempted breach. This may indicate malicious activity by a terminated employee who still has access to corporate resources. This policy profiles your environment and alerts when a terminated user performs an activity in a sanctioned corporate application. Detecting this anomalous behavior necessitates an initial learning period of 7 days during which it learns a new user’s activity pattern. This could indicate that a different user is using the same credentials. This policy profiles your environment and triggers alerts when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. These IP are involved in malicious activities, such as botnets C&C, and may indicate a compromised account. This policy profiles your environment and triggers alerts when activity is detected from an IP address that has been identified as risky by Microsoft Threat Intelligence. Detecting anomalous locations necessitates an initial learning period of 7 days, during which it does not alert on any new locations. This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intent.
This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. For that, you will need to contact Slack customer service.Īs soon as you connect MCAS and Slack, the built-in policies below will start applying and will trigger should any of these risky events occur: For the slack connector to function properly, the Discovery APIs need to be enabled on Slack.Cloud App Security doesn't support non-enterprise licenses.
Slack app download how to#
Review the video below for detailed steps on how to connect Slack to MCAS. This can be used to detect malicious attempts by attackers to become Owner of the environmentįirst things first, you need to connect Slack to MCAS. MCAS can detect when new users are granted administrative rights to Slack. Users allowed to manage a Channel are changed.No additional configuration is necessary: by simply connecting you will start seeing new alerts when applicable.Īctivity performed by terminated user (requires Azure Active Directory as IdP)Ĭustom policies can be used to be alerted when users perform activities that may cause data leakage, such as creating shared links, adding new users to channels, files being downloaded by anonymous users, etc.Ĭustom policies allow you to detect when critical security settings are being modified, such as allowing public share links to be created The built-in Threat Detection policies in Microsoft Cloud app Security will apply to Slack as soon as you have connected it. Therefore MCAS can be used to protect Slack in the following ways: Slack could be used to access corporate data, to impersonate users, conduct phishing attacks, etc.
Why connect Slack?Īs one of the means of communication and data exchange within the company, Slack is prone to be a target for malicious actors. Slack is a widely used communication and collaboration app, and like other applications, it can host critical data, and be compromised by malicious users. Protect Slack using Microsoft Cloud App Securityįollowing popular demand, we are happy to publish our Slack app connector for Microsoft Cloud App Security!
0 kommentar(er)
