Follow me on Twitter @AntonioMaio2

Wednesday, January 25, 2017

A Practical Overview of Office 365 Advanced Security Management - Part 2
Productivity App Discovery Dashboard

In the middle of 2016, Microsoft released the first version of Office 365 Advanced Security Management, a new capability within the Office 365 platform that allows organizations to go above and beyond the typical security management features, helping them to better secure users, permissions, content and apps. This multi-part blog series will look at how to use the features that make up Advanced Security Management (ASM) and share technical details that will help you to understand the benefits of these robust tools.

In part 1, we introduced Advanced Security Management and shared technical information about how it works with the Office 365 Unified Audit Log:
A Practical Overview of Office 365 Advanced Security Management - Part 1.

In part 2, we review the Productivity App Discovery Dashboard capability of ASM to see how log files are imported, how to create reports and review the results of ASM's analysis of those logs, and how you can try it out with some built-in sample logs.

Upon launching the Office 365 Advanced Security Management console, one of the new capabilities available is the Productivity App Discovery Dashboard page, which was added to ASM around October 2016. You can access it through the ASM menu by clicking Discover > Discovery Dashboard:

The dashboard allows you to quickly review security reports that ASM generates from log files that you upload to ASM from your firewalls, proxies and other network security devices. This capability is really targeted at analyzing logs from security appliances and perimeter devices or applications. Once you’ve uploaded at least one log file and generated a snapshot report, there is a lot of useful security data provided in an easy to view dashboard:

Creating a New Snapshot Report

In order to upload a log file from one of your network security appliances you must use a manual process. You need to retrieve the log file from your appliance for some particular time period, log into the Office 365 Advanced Security Management console and then do the following:
  • In the ASM menu shown above, click Discover
  • Click +Create New Report (see screenshot of the menu above)

The following page will appear:

Now give your new report a Name and Description. Then select the data source, or the type of appliance from which the log file was retrieved:

In this list there are in fact 20 network security solutions to choose from, from 13 vendors. Each solution vendor or device may have a different log file format which will dictate how the logs are analyzed. The vendors and appliances listed are:
  • Blue Coat ProxySG - Access log W3C
  • CheckPoint
  • Cisco ASA Firewall
  • Cisco FWSM
  • Cisco IronPort WSA
  • Cisco ScanSafe
  • Cisco Meraki - URLs log
  • Dell SonicWALL
  • Fortinet FortiGate
  • Juniper SRX
  • McAfee Web Gateway
  • Microsoft ForeFront Threat Management Gateway (W3C)
  • Palo Alto PA Series Firewall
  • Sophos Cyberoam Web Filter and Firewall log
  • Sophos SG
  • Squid Common
  • Squid Native
  • Websense Web Security solutions - Internet Activity Log (CEF)
  • Websense Web Security Solutions - Investigate detail report (CSV)
  • Zscaler
...and then there is an Other (unsupported log format) option as well, if you have some other solution in your network.

Report Processing
Once you've selected your solution type, you click Browse, select your log file and upload it for processing. You may upload multiple log files at once. Once uploaded, ASM will process the file to analyse traffic going through your network security solution and produce the Discovery Dashboard. This process can take a few minutes, but it will let you know once that processing is complete.

Report Ready
Once complete, your report will show a status of Ready and you'll be able to view the analytics and insights provided by the dashboard.

Note: There are some limits on the log files that ASM will process that are important to remember:
  • Each log file may be up to 1 GB in size.
  • Uploading a log file is an entirely manual process. There is no PowerShell available at this time to start the upload, nor to access any ASM functions. So the log file upload process cannot be automated unfortunately.
  • You may only have 10 reports at a time. If you already have 10 and try to create an 11th, you will be told to first delete one of your existing reports.
  • As your report ages, any entries that are older than 90 days will be removed from the report and dashboard results. This time period cannot be adjusted at this time.
  • Entries in log files that are older than 90 days will be ignored. If your entire log file is older than 90 days, ASM will still attempt to process it upon upload but the result will be an expired report which you will not be able to view, as shown here:

Analysing and Categorizing Cloud Apps

When log files are analyzed by ASM, the traffic is not only categorized by the type of cloud app (like cloud storage or social media), but ASM will recognize the individual cloud apps and let you know exactly which ones your end users are accessing. The larger Cloud App Security (CAS) solution has a catalog of almost 15,000 cloud apps that it will identify. However, a subset of those apps are recognized as 'productivity apps' and it is that subset of over 1,000 apps that ASM will identify. This list is actually a growing list, and Microsoft has a team of people working on increasing it through both manual and automatic methods. Microsoft is committed to support new apps in their catalog as soon as possible.

If you have a cloud app that you know is in use and is not yet recognized by ASM, you can request that Microsoft investigate it and potentially add it to the catalog. This is typically done by opening a support request through the ASM portal (question mark on the top right of the page). When creating a service request, you'll need to select "Cloud App Security" under the Create a Service Request list.

Analyzing and providing a quick view into which cloud apps are in fact in use by end users can really help you to determine if Shadow IT is at play in your organization, and exactly how much data is moving to cloud hosted solutions which may not be IT approved. This can provide great visibility to IT and InfoSec teams, helping them to work with end users and business units to ensure they are using the corporate approved solutions and not exposing the organization to risk.

Sample Log Files for Trialing the Discovery Dashboard

Another great feature that's built into the Discovery Dashboard is that it provides sample log files for you to trial and learn about the insights this feature can provide. You can access the sample logs by following the process described above for creating a new snapshot report, and when you get to the page where you give your report a name and description, select the type of Data Source from the dropdown and then click the "View and verify..." link:

You'll then see a page that describes the log format required by that solution in some detail. On that page, click the "Download sample log" button. You'll download a log file to your desktop, which you can then use to create a sample snapshot report.

The log file will download as a ZIP file, which you'll have to save locally, unzip and then start the process once again to create a snapshot report. The log file downloaded will follow the proper format for the Data Source selected (the solution vendor and type). So follow the process outlined above to create a new snapshot report once again using the sample log and choose that same data source the next time through.

These sample files are updated each week so that they stay fresh and do not result in expired reports (older than 90 days).

A Tour of the Productivity App Discovery Dashboard

Once you've created a snapshot report, as described above, you can access the Discovery Dashboard to get an overview of the analysis performed on our log files.

Selecting a Report
You can select which snapshot report you're viewing on the top right corner of the screen:

Traffic Statistics
On the top left of the Discovery Dashboard we're presented with statistics about:
  • number of apps analyzed
  • number of users referenced within my network security solution's log file
  • number of IP addresses analyzed
  • amount of network traffic analyzed
Remember, these statistics are only from log file entries that are not older than 90 days.

As you can see, the amount of traffic that went through the network security solution is shown, and its broken up by the amount of traffic uploaded (red arrow) versus downloaded (black arrow).

Cloud Apps and Categories
Moving a little further down the page on the left side, we can see the categories of cloud apps and the apps that are themselves in use. In our top table on the left, ASM has categorized the cloud applications found in my log file into the categories shown here. This gives us a quick view into the type of cloud apps in use by users, or the capability which that cloud app offers to users. It also shows the total amount of data transmitted through that cloud app. For example, in this case we can see that 2.3 GB has been exchanged with cloud storage solutions (Box, Dropbox, etc.) and only 4 MB has been exchanged with social media cloud based apps (Twitter, Facebook, etc.).

On the bottom table on the left, we see the actual cloud apps that are most in use in my organization along with the amount of traffic generated for each (in this case OneDrive for Business, Box, Skype for Business, Office 365 and Exchange). However, I can see right beside the "Discovered apps" label that there were in fact 116 different cloud apps found going through my network device. I can use the dropdowns above that table to view the other categories of cloud apps as well. So if we select social networks from the list, I see the apps that found in my log which fall into that category, no matter how small the amount of data.

As well, you can easily include or exclude Office 365 traffic from these graphs by unchecking or deselecting "Office 365". So, if Office 365 is a corporate standard collaboration solution this allows you to easily focus on other cloud apps which may not be approved.

Risk Levels, Traffic Locations and Exporting Data
Finally, in the diagrams on the right side of the page, ASM provides a risk score for the traffic analyzed and a map of where the traffic is originating. We can see in the following that after analyzing 2.7 GB in total that 4 KB is considered high risk traffic, 83 MB is considered medium risk and 2.6 GB is considered low risk. I can see these numbers by hovering over each slice of the pie. I can also see a world map in this section of the dashboard which gives me a quick view into where the traffic going through my network is originating from - the map is generated by the IP addresses found in my log file.

The risk level shown for the various types of traffic is based on intelligence and heuristics that ASM uses from the Microsoft Security Graph in its analysis to determine if risky IP addresses or non-reputable cloud apps are being accessed through your network. This integration of intelligence from the Microsoft Security Graph is one of the major benefits of ASM over the other built-in security tools in Office 365.

You can learn more about Microsoft's intelligent security graph here:

If I want to review the specific risk details by clicking "View risk details" we are unfortunately told that I need the Cloud App Security solution to do that:

I can adjust this graph through the dropdown to instead focus on apps, Apps, Users, IP Addresses, Upload Traffic and Transactions. On each graphic on the dashboard, I can also click the little grey downwards arrow to download a CSV file of the traffic details shown in the graph. The CSV file is relatively simple but can be useful when we need to generate reports for others in the organization.

Automatic Log File Upload and Cloud App Security

The Productivity App Discovery Dashboard is a great solution for analyzing traffic going your network and understanding which cloud apps end users are making use of. It can provide IT and InfoSec teams with the information they need to determine if Shadow IT as at work in their organization, and give them intelligence they can use to work with end users and business groups to ensure they're following corporate policy for cloud based collaboration.

As mentioned above, the upload of log files is a manual process and we're limited to having 10 reports in the dashboard at a time. I think this can still be a beneficial solution to enterprises in circumstances where you want to perform adhoc analysis a firewall or network security log, as part of a regular IT security audit or when investigating suspicious network activity. If you want to make ongoing use of this capability however and have log files uploaded automatically then for now you'll need to upgrade to the larger Cloud App Security solution from Microsoft. You can learn more about Cloud App Security here What Is Cloud App Security, and I may also cover it more in a future post.

What's Next

This post was a fairly thorough review of the Productivity App Discovery Dashboard feature within Office 365 Advanced Security Management.

The next post in this series will look at how security policies and alerts are in fact configured and how they work within ASM.



  1. Thank you so much for this nice post. This is very informative and helpful Earning Money Online

    1. IEEE Project Domain management in software engineering is distinct from traditional project deveopment in that software projects have a unique lifecycle process that requires multiple rounds of testing, updating, and faculty feedback. A IEEE Domain project Final Year Projects for CSE system development life cycle is essentially a phased project model that defines the organizational constraints of a large-scale systems project. The methods used in a IEEE DOmain Project systems development life cycle strategy Project Centers in India provide clearly defined phases of work to plan, design, test, deploy, and maintain information systems.

      This is enough for me. I want to write software that anyone can use, and virtually everyone who has an internet connected device with a screen can use apps written in JavaScript. JavaScript Training in Chennai JavaScript was used for little more than mouse hover animations and little calculations to make static websites feel more interactive. Let’s assume 90% of all websites using JavaScript use it in a trivial way. That still leaves 150 million substantial JavaScript Training in Chennai JavaScript applications.

  2. Great Post!
    You seem to have the same issue as me:
    "If I want to review the specific risk details by clicking "View risk details" we are unfortunately told that I need the Cloud App Security solution to do that"...
    Any idea why this message appears? Is there another licensing level that provides this drill down capability? The dashboard is great but I can't drill into the underlying data?
    All the info I can find states that Cloud App Security is included with O365 E5 license. I'm currently running a trial of E5 license.


  3. Pretty blog, so many ideas in a single site, thanks for the informative article, keep updating more article.
    Webdesining course in chennai

  4. I have read your article, it is very informative and helpful for me.I admire the valuable information you offer in your articles. Thanks for posting it..
    Time management

  5. Thank you for sharing the article. The data that you provided in the blog is informative and effective.

    Best Devops Training Institute

  6. Thanks for sharing an informative blog keep rocking bring more details.I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
    mobile application development training online
    mobile app development course
    mobile application development course
    learn mobile application development
    mobile app development training
    app development training
    mobile application development training
    mobile app development course online
    online mobile application development

  7. thanks for sharing your valuable's very nice blog.same time it's very helpful article web design company in velachery

  8. Thanks for sharing an informative blog keep rocking bring more details.I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
    web designing classes in chennai | web designing training institute in chennai
    web designing and development course in chennai | web designing courses in Chennai
    best institute for web designing in chennai | web designing course with placement in chennai
    Web Designing Class
    web designing course
    best institute for web designing

  9. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    Security Solution

  10. A IEEE project is an interrelated arrangement of exercises, having a positive beginning and end point and bringing about an interesting result in Engineering Colleges for a particular asset assignment working under a triple limitation - time, cost and execution. Final Year Project Domains for CSE In Engineering Colleges, final year IEEE Project Management requires the utilization of abilities and information to arrange, plan, plan, direct, control, screen, and assess a final year project for cse. The utilization of Project Management to accomplish authoritative objectives has expanded quickly and many engineering colleges have reacted with final year IEEE projects Project Centers in Chennai for CSE to help students in learning these remarkable abilities.

    Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
    Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai

  11. keep up the good work. this is an Assam post. this to helpful, i have reading here all post. i am impressed. thank you. this is our digital marketing training center. This is an online certificate course
    digital marketing training in bangalore |

  12. Taldeen is one of the best plastic manufacturing company in Saudi Arabia. They are manufacturing Handling Solutions Plastic products like Plastic Pallets and plastic crates. Here is the link of the product
    Handling Solutions
    Plastic Pallets
    GrueBleen is one of the Branding and Marketing agency Based in Riyadh- Saudi Arabia. The main functions of GrueBleen is Advertising, Branding, Marketing, Office Branding, Exhibition Management and Digital Marketing. Visit the below link to know more about GrueBleen Creative Club.
    Branding Agency Riyadh
    Marketing Agency Riyadh
    Agriculture Solutions – Taldeen is a plastic manufacturing company in Saudi Arabia. They are manufacturing agricultural plastic products like greenhouse cover and hay cover. Visit the below link to know more details
    Agriculture Solutions
    Greenhouse Cover
    GrueBleen – One of the best social media marketing agency in Riyadh- Saudi Arabia. Visit here for the all service details of GrueBleen.
    Social Media Marketing Agency | Social Media Agency In Saudi Arabia | Social Media Agency In Riyadh | Social Media Agency in Jeddah |

  13. Business Analytics Certification Course Overview
    The Professional Certification in Business Analytics is a foundation course for students and professionals who want to develop niche data skills for their chosen industry domain or function area. Become a Business Intelligence and Data Visualisation expert and surge ahead in your career. The nine-day Business Analytics certification course covers all the essential Analytical and Statistical techniques for effective business decision making. This programme introduces the student to the basic concepts of Python language.
    business analytics certification

  14. The post is written in very a good manner and it contains many useful information for me.

    gexton cctv monitiring

  15. Thanks For sharing this Superb article.I use this Article to show my assignment in is useful For me Great Work. security license check

  16. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. security guard

  17. A debt of gratitude is in order for the blog entry amigo! Keep them coming... friends t shirt

  18. The young boys ended up stimulated to read through them and now have unquestionably been having fun with these things.
    Best Project Management Software

  19. I’m excited to uncover this page. I need to to thank you for ones time for this particularly fantastic read !! I definitely really liked every part of it and i also have you saved to fav to look at new information in your site. bluetooth earphones for running

  20. It’s good to check this kind of website. I think I would so much from you. eliquid manufacturer and distributor

  21. Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! red led eyes for mask

  22. wow... what a great blog, this writter who wrote this article it's realy a great blogger, this article so inspiring me to be a better person raw spirulina, living spirulina

  23. I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You. dominique cosmetics

  24. I really enjoyed reading this post, big fan. Keep up the good work andplease tell me when can you publish more articles or where can I read more on the subject? Site

  25. That is very helpful for increasing my knowledge in this field. aftermarket wheels

  26. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    Data Science Certification in Bangalore

  27. I am really very happy to visit your blog. Now I am found which I actually want. I check your blog everyday and try to learn something from your blog. Thank you and waiting for your new post. 360DigiTMG data science course in aurangabad

  28. With more and more information coming onto the internet everyday, it became harder to go through or find the exact sort of data that was required by an individual. 360DigiTMG data science course in hyderabad

  29. I read this article. I think You have put a lot of effort to create this article. I appreciate your work.
    Visit us for Customised Credit Card Shaped Pen Drive.

  30. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks! A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article.
    Project Management Apps

  31. Nice post found to be very impressive to come across such an awesome content along with a unique content. Lots of appreciation to the blogger who took an initiative to write this particular blog. Thanks for sharing and keep posting such an informative content.

    360DigiTMG Cyber Security Course

  32. Very good points you wrote here..Great stuff...I think you've made some truly interesting points.Keep up the good work.
    python course training in Guwahati

  33. This is my first time visit to your blog and I am very interested in the articles that you serve. Provide enough knowledge for me. Thank you for sharing useful and don't forget, keep sharing useful info:SQL Training in Gurgaon
    Advanced Excel /VBA training in Gurgaon

  34. I love the way you write and share your niche! Very interesting and different! Keep it coming! gym clothing

  35. I must admit that your post is really interesting. I have spent a lot of my spare time reading your content. Thank you a lot! Treasure at tampines condo

  36. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up.
    Best Data Science Courses in Hyderabad

  37. Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming. Fitness

  38. I think about it is most required for making more on this get engaged webdesign Shoreline WA

  39. I am hoping the same best effort from you in the future as well. In fact your creative writing skills has inspired me. Ceremonial Cacao

  40. Great Article it its really informative and innovative keep us posted with new updates. its was really valuable. thanks a lot. parenting

  41. it was a wonderful chance to visit this kind of site and I am happy to know. thank you so much for giving us a chance to have this opportunity.. Vape

  42. I wish more writers of this sort of substance would take the time you did to explore and compose so well. I am exceptionally awed with your vision and knowledge. kitchen exhaust cleaning

  43. Hi to everybody, here everyone is sharing such knowledge, so it’s fastidious to see this site, and I used to visit this blog daily information Bahamas

  44. Houston Home Security Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our.

  45. This is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the good work. I have been meaning to write something like this on my website and you have given me an idea. cargador de teléfono inteligente

  46. I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You. 3D custom pop up cards

  47. I think about it is most required for making more on this get engaged CBD TOPICALS

  48. Amazing product thanks for sharing with us It is very informative. If you need any type of boxes you can visit the link.
    packaging companies in usa
    paper box for Bath Bomb

  49. It is perfect time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you could write next articles referring to this article. I want to read more things about it! black crossbody bag with silver studs

  50. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. Alphabet flashcards for children

  51. The worst part of it was that the software only worked intermittently and the data was not accurate. You obviously canot confront anyone about what you have discovered if the information is not right. self soothing items

  52. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. best email hosting

  53. You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it! how to make money blogging

  54. Thank you for sharing excellent information. Your website is so cool. I am impressed by the details that you've on this website. It reveals how nicely you perceive this subject. Bookmarked this web page, will come back for more articles. You, my friend, ROCK! I found simply the information I already searched everywhere and just couldn't come across. What an ideal website. I must say, I thought this was a pretty interesting read when it comes to this topic. Liked the material cheap minecraft server hosting uk

  55. You should remind your staff of your company's journey over the past few years and make sure they clearly understand where you plan to take it in the next few years. Salesforce training in Hyderabad

  56. I see the best substance on your blog and I unbelievably love getting them.
    DevOps Training in Hyderabad
    DevOps Course in Hyderabad

  57. bespoke packaging boxes At Bespoke Packaging UK we strongly believe in the interests of bespoke packaging, which has multiple benefits.

  58. Looking for a good deal on bulk glitter? Explore a wide range of the best bulk glitter on GlitterMall to find one that suits you! Besides good quality brands, you’ll also find plenty of discounts when you shop for bulk glitter during big sales. Don’t forget one crucial step - filter for items that offer bonus perks like free shipping & free return to make the most of your online shopping experience!

  59. I am impressed by the information that you have on this blog. It shows how well you understand this subject.
    data scientist training in malaysia

  60. yhe bp doctor smartwatch Have a smart watch that you can use for exercise and daily life

  61. bp doctor 3.0 pro wearable blood pressure smartwatch If you want to find an accurate fitness tracker, just try this smartwatch.

  62. It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it! baby clothing

  63. I like the way you express information to us. Thanks for such post and please keep it up. john wayne vest

  64. This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post!

  65. Thanks for sharing the post.