Detect PCI/PII Data in 3rd Party SaaS Applications with MDA (formerly MDCA or MCAS)
Knowing where sensitive data is located in the cloud and ensuring its protection is fundamental to maintaining the integrity and confidentiality of the data, complying with regulations, and safeguarding the organization's interests. Depending where your organization is based, failure to do so can result in significant fines and legal repercussions (i.e., GDPR, CCPA).
In the "Modern Workplace", end-users are more frequently working from remote locations and while organizations are on the journey to the cloud, legacy on-prem infrastructure and applications are being decommissioned and replaced with cloud SaaS solutions to accommodate this shift.
Microsoft offers an arsenal of data security services to help you "Know your data, Protect your data and Prevent Data Loss" and they seamlessly integrate with other security services in the Microsoft ecosystem.
With the solutions and services available in Azure, Purview and Defender, a comprehensive, multilayered defense strategy can be employed to ensure your data is secure across the digital landscape so that your end-users remain productive.
In this article, I would like to demonstrate how an organization can connect their corporate SaaS applications (Dropbox in this example) to MDA and use File Policies to detect sensitive data. I will also review how one can review the activities in these apps and I will also demonstrate how to connect the app to MDA. At the end, I will highlight some gaps and why other data protection solutions should be implemented to ensure you're fully protected.
The purpose of this article is to demonstrate how 3rd Party SaaS applications can interact with MDA. By no means will this completely protect you against data loss and one should review the Information Protection and Data Loss Protection solutions offered in Microsoft Purview for a comprehensive data protection solution as well as other Microsoft security solutions.
Table of Contents
Connect MDA to 3rd Party SaaS Apps (Shadow IT)
MDA (Defender for Cloud Apps) allows you to connect 3rd party applications giving you greater visibility and control. Depending on the cloud provider, MDA leverages the APIs of the SaaS application providers to gain greater insights over the data that resides on these digital platforms and the activities performed. The communication between MDA and your SaaS applications are encrypted using HTTPS.
After setting up Cloud Discovery in MDA, you can analyze what applications are being used by employees and then create different types of policies that help Detect and Protect your data in these Shadows IT apps. In this article, I will connect Dropbox to demonstrate some of the capabilities but connecting Dropbox would help protect against the following threats:
I bolded Ransomware above because of recent videos I watched by Ryan Chapman (SANS FOR528 Course Instructor - one of my new favorite online tutors =D ), "Detecting & Hunting Ransomware Operator Tools: It Is Easier Than You Think!" and "The Truth about Ransomware: Its not Complicated!" In these videos, Ryan talks about how Threat Actors like to use popular, legitimate SaaS Applications to exfiltrate your data. This is called LOTS - or "Living off Trusted Sites". MDA will allow you to detect anomalous activities in your trusted SaaS applications and thus, detect Ransomware attacks early in the kill chain. MDA in conjunction with MDE will allow you to block ALL other LOTS that your organization does not use.
HIGHLY recommend Ryan Chapman's content as I feel understanding how a DFIR analyst thinks will help us become better Defenders.
Check out LOTS Project[.]com to see a list of LOTS sites, their domains, tags and provider. Thanks Ryan!!!
After connecting an App
After you connect an App, MDA will, via APIs:
Depending on the app to which you're connecting, API connection enables the following items:
For this article, I am going to demonstrate some of the capabilities by connecting a Corporate Dropbox instance to Defender for Cloud Apps. Each App Connector has dedicated MS Learn article illustrating which policies are applicable to said app and gives steps on how to connect the API Connectors. You can read this article specifically for Dropbox.
Connecting Dropbox to Defender for Cloud Apps
Let's connect Dropbox to our MDA instance.
Navigate to
When the app connector wizard fly-out appears, give your instance a name and select Next:
**You can connect multiple instances of an app (i.e., Dropbox-Prod and Dropbox-Dev, etc.)
Next, enter the admin credentials for the corporate Dropbox instance you're connecting:
Select "Connect Dropbox" link on the Follow the link page in the wizard:
You will then be navigated to an Dropbox OAuth authentication and authorization page. Enter your admin credentials for the corporate Dropbox:
Upon a successful authentication, you will be prompted for MFA and need to retrieve the 6 digit code sent to your email (email for the admin account for the corporate Dropbox instance):
After satisfying the MFA challenge requirements, I can now authorize Defender for Cloud Apps to have access to my corporate Dropbox Instance:
Back in the App Connector wizard in MDA, you will see "Great Dropbox is connected" and then select Done at bottom:
Reviewing Permissions for MDA on Dropbox side
With your admin credentials for your corporate Dropbox, log in and navigate to the Admin console. Navigate to Settings --> Apps --> Connected by admins:
I can now see the App which we just connected (Defender for Cloud apps) and I can also see the access type for my corporate Dropbox instance "Team member file access":
Create a File Policy to Detect PCI and PII Data
We are going to create a File Policy to detect files that contain PCI/PII data in Dropbox and then moves it to the trash in Dropbox.
DISCLAIMER*** This demo is too merely to demonstrate the capabilities MDA has with 3rd party SaaS apps and your data and what is possible with the right APIs from the Service Provider (Dropbox in this case). The following File Policy is not necessarily one you'd implement in a production environment.
The following MDA built-in policies and templates are available for Dropbox but in our demonstration here, we will leverage the File policy templates. See official documentation here:
The following governance actions are available for Dropbox:
As we can see, we will be able to Detect files with PII/PCI/PHI data and these data types can be tested in numerous file types. For our example, we will be testing sensitive data in a txt file.
Steps for Creating a File Policy
In Defender XDR, navigate to "Cloud Apps", click on Policies --> Policy templates. On the filters, select the Type dropdown and then select "File policy" so we can see what built-in templates are available for our use:
Recommended by LinkedIn
At the time of writing, there are 4 file policy templates available and by selecting the '+' sign, we can create a File policy and we can even modify it according to our requirements. For the sake of this demo to demonstrate some of the capabilities of MDA, we will create a File Policy from scratch.
Follow the aforementioned steps above but instead of going to Policy templates, let's go to Policy management --> Create Policy --> File policy
Give your policy a name. I've called mine "Dropbox Financial Data - File Policy - Detect PCI Data" and select a policy severity you'd like for your Alert trigger: I have set "low" for this demo:
Under the "Files matching all of the following" section, configure the filter so that "App" == "Dropbox"
Under the "Apply to" section, let's select the dropdown for "all files". For "Select user groups:" select "all file owners" from the dropdown and for the "Inspection method", let's select "Data Classification Service":
For the file criteria, I've configured it such that ANY one detection of "Canada Bank Account Number" or "Credit Card Numbers" with a match accuracy between 75% and 100%:
I have left "Inspect protected files" unchecked and "Unmask the last 4 characters of a match" checked off (see screenshot directly above).
Under the Alerts section of the policy, select the checkbox to "Create an alert for each matching file". I have also configured the alert to be sent to other internal and external mailboxes:
Under Governance Actions --> Dropbox, I have configured the "Trash" governance action, merely to demonstrate that via APIs, you can delete files in 3rd party SaaS applications:
I also configure a custom notification method to be sent to the user who triggers the policy:
Review File Policy Alerts in Defender XDR
Alex W has uploaded a .txt file to the corporate Dropbox account and the MDA File Policy we created has detected this and an Alert and Incident have been generated in Defender XDR:
See here the custom notification we configured in the File Policy that is sent to the file owner's email:
Reviewing the alert
Navigate to Defender XDR (security.microsoft.com) --> Investigation & response --> Incidents & alerts and you will see an alert named after the File policy we created:
The "Impacted asset" column will have the name of my Dropbox instance I connected.
Reviewing Policy Match Events in the alert
In the alert, we can see what matches were made with the policy and we can also see the governance actions carried out against the file. Recall in our policy, we "trashed" any matching files.
We can also see in this table the name of the file.
Review the Activity Log in MDA
Log into your Defender XDR (security.microsoft.com) and navigate to Cloud apps --> Activity Log and then Select Dropbox from the Apps filter:
I am now able to see all of the different activities happening within my Dropbox instance. Some of the activities are classified as "Administrative" and this can also be filtered on. I can even see the IP addresses from which the activity is coming from:
Review Files in 3rd Party SaaS Applications in MDA (Dropbox)
Navigate to Defender XDR --> Cloud apps --> Files:
In the filter bar, select the App "Dropbox":
We can now see all the files that were scanned and reside in the "Antons Dropbox" Dropbox instance and I can also see the file Owners:
** Notice that I can see other instances of Dropbox that I connected with different names to simulate different corporate Dropbox environments
With the available filters, I am also able to filter on file and folder Access Levels and I can also filter on File types. Another important filter is the ability to filter on files that match a particular File policy in my MDA environment:
And that's it for now on MDA and connecting 3rd party SaaS applications. I hope this was informative and thank you for reading!
Threat Hunter | Host & Network Forensics | Malware Analysis | SANS Author (FOR528) & Instructor | CactusCon Crew | PluralSight Author
7moVery happy to see this post!!