Microsoft Defender for Cloud Apps, previously known as Cloud App Security, is a multilayered solution bringing visibility, control, and threat protection to applications like Office 365, Google Workspace, Slack, and AWS. It enables organizations to discover cloud apps, detect anomalous behavior, and apply policy controls to protect data across cloud applications.
DLP (Data Loss Prevention) policies in Microsoft 365 are used to detect sensitive information types like financial data, personal identifiers, and health records in various locations such as email, SharePoint, OneDrive and third-party cloud apps. You can create DLP policies to notify users about policy violations, restrict the sharing of sensitive information, or monitor and protect sensitive information in the cloud apps.
Configuration Steps
To utilize DLP policies in Microsoft Defender for Cloud Apps, follow the steps below:
- Enable Connected Apps in Cloud App Security: Navigate to the Cloud App Security portal and go to Settings > Connected Apps.
- Create a File Policy: Go to Control > Policies and click on Create Policy > File Policy. Provide a name and description for your policy.
- Configure ‘Policy Settings’: In the section ‘Choose the information you want to protect’, select the option ‘DLP Policy Matches’. Here, you will be able to utilize the DLP policies you have set up in Microsoft 365.
- Configure ‘Control Settings’: In this section, you can define the action that needs to be taken when a DLP policy matches. Options can range from setting an alert, sending an email notification, or applying governance actions like quarantine, mark as a violation, or remove a shared link.
- Configure ‘Inspection Settings’: Under the section ‘Review the following content’, select ‘All files’. Then under ‘In these apps’, choose the applications where you want the DLP policies to apply.
- Click on ‘Create’: Save the policy to implement it across the selected cloud apps.
Monitoring DLP Policies
Once the policies are in place, you can monitor them through the Cloud App Security portal. You have the ability to view the files that match the policy under Control > Policies.
Conclusion
Combining Microsoft Defender for Cloud Apps with DLP policies allows organizations to effectively manage and secure information across cloud applications. While this guide provides the necessary steps for configuring file policies, it’s recommended to further explore the capabilities of these tools and customize them based on your organization’s needs for the SC-400 exam as well as real-world scenarios.
Remember, Microsoft recommends using this feature to monitor DLP policy matches in files stored in cloud apps, but it cannot be used to enforce or block activities based on these matches. Also, it is important to remember that the Office 365 Audit Log must be connected to Defender for Cloud Apps to monitor DLP policy matches in SharePoint and OneDrive.
Practice Test
True or False: Microsoft Defender for Cloud Apps supports data loss prevention (DLP).
- True
- False
Answer: True.
Explanation: Microsoft does indeed support data loss prevention in Defender for Cloud Apps, helping to identify, monitor, and protect sensitive information.
Which of the following are valid steps when configuring a DLP policy in Microsoft Defender for Cloud Apps? (multi-select)
- a) Selecting a template
- b) Defining policy settings
- c) Setting up Slack
- d) Reviewing and creating the policy
Answer: a, b, d
Explanation: When configuring a DLP policy, you need to select a template, define policy settings, and review and create the policy. Setting up Slack is not part of this process.
True or False: A DLP policy in Microsoft Defender for Cloud Apps cannot be customized.
- True
- False
Answer: False
Explanation: DLP policies can indeed be customized to suit the specific needs of the organization.
What does DLP in Microsoft Defender stand for?
- a) Data Prevention Loss
- b) Data Loss Prevention
- c) Data Logged Protocol
- d) Data Loved Plan
Answer: b) Data Loss Prevention
Explanation: DLP stands for Data Loss Prevention which helps to identify, monitor, and protect sensitive information.
True or False: DLP policies can be used to stop the sharing of sensitive information.
- True
- False
Answer: True
Explanation: DLP policies are designed to help prevent the accidental or unintentional sharing of sensitive information.
This Microsoft tool allows DLP policy creation based on predefined templates.
- a) Microsoft Words
- b) Microsoft One Drive
- c) Microsoft 365 compliance center
- d) Microsoft Excel
Answer: c) Microsoft 365 compliance center
Explanation: Microsoft 365 compliance center allows admins to develop and manage DLP policies based on predefined or customized templates.
True or False: Microsoft Defender for Cloud Apps does not support DLP policy integration from third-party solutions.
- True
- False
Answer: False
Explanation: Microsoft Defender for Cloud Apps can integrate DLP policy from third-party solutions, providing flexibility and allowing users to leverage existing policies.
Microsoft Defender for Cloud Apps is a(n) ________ product.
- a) Google
- b) Amazon
- c) Microsoft
- d) IBM
Answer: c) Microsoft
Explanation: Defender for Cloud Apps is a product of Microsoft which provides information protection capabilities.
True or False: Microsoft Defender for Cloud Apps DLP capability can be used to monitor and protect both structured and unstructured data.
- True
- False
Answer: True
Explanation: Microsoft Defender for Cloud Apps can monitor and protect both structured and unstructured data, ensuring comprehensive security coverage.
In the context of DLP in Microsoft Defender for Cloud Apps, what does the term “policy” refer to?
- a) The rules defined to prevent data loss
- b) The password set to access the system
- c) The payment agreement for the service
- d) The interface layout
Answer: a) The rules defined to prevent data loss
Explanation: In the context of DLP, a “policy” refers to the set of rules that are defined to prevent data loss.
Interview Questions
What is the primary purpose of file policies in Microsoft Defender for Cloud Apps?
File policies in Microsoft Defender for Cloud Apps allow you to keep control over the data residing in your cloud apps by applying Valuable Information Types, Data Loss Prevention (DLP) policies, and built-in or custom expressions.
What types of information can the Data Loss Prevention (DLP) policies block in Microsoft Defender for Cloud Apps?
DLP policies can block various types of sensitive information such as credit card numbers, Social Security numbers (US), bank account numbers, passport numbers, and custom sensitive information types defined by the organization.
How can you create a new file policy in Microsoft Defender for Cloud Apps?
You can create a new file policy by navigating to Control > Policies > Create a policy > File policy.
Can you edit a DLP policy after it’s been created?
Yes, you can edit a DLP policy after it’s been created. You can alter the name, description, severity, category, filters, templates, or actions of the policy.
What happens if a file matches the conditions set in a DLP policy?
If a file matches the conditions set out in a DLP policy, the action defined in the policy will be executed. This might mean sending an alert, blocking access, or protecting the file, for example.
How are DLP policies prioritized in Microsoft Defender for Cloud Apps?
DLP policies are prioritized based on their order in the policy list. The policy at the top of the list has the highest priority.
Can you use DLP policies to prevent data from being downloaded?
Yes, you can use DLP policies in conjunction with access control policies to prevent data from being downloaded.
What kind of expressions can be used when creating file policies in Microsoft Defender for Cloud Apps?
File policies in Microsoft Defender for Cloud Apps can use built-in expressions or custom expressions written in Groovy or Regex.
Can you set file policies to apply to all files or only to files shared with specific people?
Yes, you can set file policies to apply to all files or only to files shared with specific individuals.
What is the function of the ‘Remediation’ option when configuring a DLP policy?
The ‘Remediation’ option allows you to dictate what should happen when a file matches a policy. Options might include applying encryption or a watermark, quarantining the file, or just sending an alert.
Are the DLP policies in Microsoft Defender for Cloud Apps applied in real-time?
Yes, DLP policies in Microsoft Defender for Cloud Apps are applied in real-time, ensuring immediate reaction when sensitive data is detected.
How can you test a DLP policy before implementing it?
You can test a DLP policy by setting the policy to “Test” state. This allows you to see how the policy might affect your environment without actually implementing any actions.
Is it possible to scope DLP policies to specific users or groups in Microsoft Defender for Cloud Apps?
Yes, it’s possible to scope DLP policies to specific users or groups in Microsoft Defender for Cloud Apps. You can define this in the Filters section while defining or editing a policy.
How are file policies applied to sub-folders in Microsoft Defender for Cloud Apps?
File policies in Microsoft Defender for Cloud Apps apply recursively, which means that they are automatically applied to any sub-folders of the folder to which the policy has been applied.
What kind of reports can be generated related to DLP policies in Microsoft Defender for Cloud Apps?
You can generate a variety of reports related to DLP policies, such as ‘Matched files’, ‘DLP policy matches over time’, ‘Top matching DLP policies’, ‘Top users by DLP policy matches’, and ‘Top apps by DLP policy matches’.
extutorials.com