Tutorial / Cram Notes
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a robust security solution provided by Microsoft to help organizations gain visibility into their cloud apps and services, protect sensitive information across cloud applications, and ensure compliance with various data protection regulations. One of the key features of Defender for Cloud Apps is the ability to configure file policies, which can include the use of Data Loss Prevention (DLP) policies, to control and secure data across cloud environments.
Understanding File Policies in Microsoft Defender for Cloud Apps
File policies in Microsoft Defender for Cloud Apps enable you to monitor and control how files are accessed and shared within your cloud environment. These policies can trigger alerts, apply restrictions, or take remediation actions when files containing sensitive data are detected.
Integrating DLP Policies with File Policies
When DLP (Data Loss Prevention) policies are incorporated into file policies in Defender for Cloud Apps, you have an extended level of protection which includes identifying, monitoring, and automatically protecting sensitive information across various cloud applications.
Steps to Configure File Policies with DLP in Microsoft Defender for Cloud Apps:
-
Create a New File Policy
- Navigate to the Defender for Cloud Apps portal.
- Go to “Control” and select “Policies” from the menu.
- Click on “Create policy” and choose “File policy.”
-
Name and Define the Policy
- Give your policy a meaningful name that reflects its purpose.
- Add a description that outlines the policy’s intent.
-
Set the Filters
- Define the file properties that trigger the policy. This could include factors like file type, sharing level, or access level.
- You can also apply filters based on content inspection such as keywords, data identifiers, or predefined sensitive information types found within the file contents.
-
Configure Inspection Settings
- Select the DLP engine to inspect files as a part of the policy.
- Choose the content inspection method and define inspection settings, matching conditions, and actions to be applied.
-
Set the Governance Actions
- Define the actions that should be taken when a policy match is found. This could include:
- Quarantining the file
- Applying access restrictions
- Notifying the administrator or user
-
Create Alerts and Notifications
- Configure alerts to notify administrators when a policy match occurs.
- Customize the notification messages that go out to users who own or last modified the matched file.
-
Review and Create the Policy
- Review all settings and make sure the policy aligns with the organization’s DLP strategy.
- Create the policy to start monitoring and protecting files based on the set criteria.
Examples of File Policies Using DLP in Defender for Cloud Apps
Here are two examples of how DLP policies can be used within file policies:
- A policy that identifies and restricts sharing of files containing credit card information:
- Filter: Document contains: Credit Card Number
- Action: Make private, Alert admin, Notify user
- A policy that targets files with health information shared externally:
- Filter: Document contains: Health Information
- Action: Apply a classification label, Remove external sharing, Alert admin
Comparison Table: DLP Actions for File Policies
| DLP Action | Description | Use Case |
|---|---|---|
| Quarantine File | Move the file to a secure location where it cannot be accessed | Content contains highly sensitive data |
| Apply Classification Label | Label the file automatically based on the content found | Automate data governance based on content |
| Remove Sharing | Stop external sharing and access | Prevent accidental data leaks |
| Notify User | Send a notification to the user involved with the file | Educate users on compliance standards |
| Alert Admin | Notify administrators of the policy match | Ensure oversight and compliance follow-up |
By configuring file policies with DLP in Microsoft Defender for Cloud Apps, organizations can create a comprehensive strategy for protecting sensitive data across cloud applications and maintaining regulatory compliance, particularly important for Microsoft Information Protection Administrators preparing for the SC-400 exam.
Practice Test with Explanation
True or False: Microsoft Defender for Cloud Apps requires additional licenses beyond the basic Microsoft 365 subscription to configure file policies for DLP.
Answer: True
Explanation: Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that is not included in all Microsoft 365 subscriptions and may require additional licensing.
True or False: When setting up a file policy in Microsoft Defender for Cloud Apps, you can apply the policy to all file types.
Answer: True
Explanation: In Microsoft Defender for Cloud Apps, you can create a policy that applies to all file types, or you can choose to apply the policy to specific types of files based on your requirements.
True or False: File policies in Microsoft Defender for Cloud Apps can only be applied to files stored in Microsoft services such as OneDrive and SharePoint.
Answer: False
Explanation: Microsoft Defender for Cloud Apps can monitor and control files across various cloud services, not just Microsoft services. It supports multiple third-party cloud services like Google Drive, Dropbox, and Box.
Multiple Select: Which of the following are supported actions you can take when a file matches a DLP policy in Microsoft Defender for Cloud Apps? (Select all that apply)
- A) Quarantine the file
- B) Notify the user via email
- C) Delete the file automatically
- D) Apply classification labels
Answer: A, B, D
Explanation: When a file matches a DLP policy in Microsoft Defender for Cloud Apps, you can quarantine the file, notify the user via email, or apply classification labels. Automatic deletion is not a recommended or typically supported action due to the risks of data loss.
Which one of the following is NOT a trigger that can be used to define a file policy in Microsoft Defender for Cloud Apps?
- A) File shared with a new domain
- B) File containing malware
- C) File with a specific keyword
- D) File has not been accessed in the last 30 days
Answer: D
Explanation: While Microsoft Defender for Cloud Apps can create policies based on sharing actions, content inspection (like malware detection or keyword matching), it does not trigger policies based solely on file access frequency.
True or False: You can integrate Microsoft Defender for Cloud Apps with third-party DLP solutions for enhanced data protection.
Answer: True
Explanation: Microsoft Defender for Cloud Apps allows integration with third-party DLP solutions through its API, extending its capabilities and providing enhanced data protection across multiple platforms.
Which one of the following is NOT a requirement for creating DLP policies in Microsoft Defender for Cloud Apps?
- A) Administrator privileges
- B) A list of high-risk users
- C) A set of content inspection rules
- D) An action to take when a match is found
Answer: B
Explanation: While it is useful to identify high-risk users, having a list of high-risk users is not a requirement for creating DLP policies in Microsoft Defender for Cloud Apps. DLP policies focus on content and activity, not specific users.
True or False: In Microsoft Defender for Cloud Apps, you can enforce DLP policies in real-time as users interact with cloud services.
Answer: True
Explanation: Microsoft Defender for Cloud Apps allows for real-time monitoring and enforcement of DLP policies as users interact with cloud services to prevent data leaks and enforce compliance.
Which one of the following is a possible outcome when a file matches the criteria outlined in a DLP policy in Microsoft Defender for Cloud Apps?
- A) The file is encrypted automatically.
- B) The file is promoted in search rankings.
- C) The file is backed up to a secure location.
- D) The file owner receives an access request.
Answer: A
Explanation: One of the possible outcomes when a file matches a DLP policy is that the file can be automatically encrypted to protect its contents from unauthorized access.
True or False: Policies created in Microsoft Defender for Cloud Apps can leverage Microsoft Information Protection labels as conditions for policy enforcement.
Answer: True
Explanation: Microsoft Defender for Cloud Apps can leverage Microsoft Information Protection (MIP) labels as conditions for DLP policy enforcement, allowing organizations to incorporate their classification and labeling schemes into their DLP strategies.
True or False: When configuring file policies in Microsoft Defender for Cloud Apps, it’s mandatory to include both users and groups as part of the criteria.
Answer: False
Explanation: While you can include users and groups as part of the criteria for a file policy, it is not mandatory to include them. Policies can be based on content type, activity, or other factors.
Multiple Select: Which of the following actions can be automated when a DLP policy violation is detected in Microsoft Defender for Cloud Apps? (Select all that apply)
- A) Send an alert to the Security Operations team
- B) Update the risk score of a user or entity
- C) Remove public sharing links from the file
- D) Trigger a compliance audit for the user
Answer: A, C
Explanation: Microsoft Defender for Cloud Apps can automate several actions when a DLP policy violation is detected, including sending an alert to the Security Operations team and removing public sharing links from the file. Updating the risk score of a user or entity and triggering a compliance audit for the user are not direct actions taken by file policies in Microsoft Defender for Cloud Apps.
Can anyone explain how to configure file policies in Microsoft Defender for Cloud Apps to use DLP policies?
Do I need to have any special permissions to configure these file policies?
Is it possible to apply DLP policies to files stored in third-party cloud apps?
Great blog post, thanks!
I tried configuring a file policy but it’s not picking up sensitive data as expected. Any ideas?
How do I configure alerts for policy violations?
What’s the best practice for handling false positives in DLP policies?
The blog post was a great help, appreciate it!