Follow me on Twitter @AntonioMaio2

Wednesday, January 25, 2017

A Practical Overview of Office 365 Advanced Security Management - Part 2
Productivity App Discovery Dashboard

In the middle of 2016, Microsoft released the first version of Office 365 Advanced Security Management, a new capability within the Office 365 platform that allows organizations to go above and beyond the typical security management features, helping them to better secure users, permissions, content and apps. This multi-part blog series will look at how to use the features that make up Advanced Security Management (ASM) and share technical details that will help you to understand the benefits of these robust tools.

In part 1, we introduced Advanced Security Management and shared technical information about how it works with the Office 365 Unified Audit Log:
A Practical Overview of Office 365 Advanced Security Management - Part 1.


In part 2, we review the Productivity App Discovery Dashboard capability of ASM to see how log files are imported, how to create reports and review the results of ASM's analysis of those logs, and how you can try it out with some built-in sample logs.




Upon launching the Office 365 Advanced Security Management console, one of the new capabilities available is the Productivity App Discovery Dashboard page, which was added to ASM around October 2016. You can access it through the ASM menu by clicking Discover > Discovery Dashboard:


The dashboard allows you to quickly review security reports that ASM generates from log files that you upload to ASM from your firewalls, proxies and other network security devices. This capability is really targeted at analyzing logs from security appliances and perimeter devices or applications. Once you’ve uploaded at least one log file and generated a snapshot report, there is a lot of useful security data provided in an easy to view dashboard:


Creating a New Snapshot Report

In order to upload a log file from one of your network security appliances you must use a manual process. You need to retrieve the log file from your appliance for some particular time period, log into the Office 365 Advanced Security Management console and then do the following:
  • In the ASM menu shown above, click Discover
  • Click +Create New Report (see screenshot of the menu above)

The following page will appear:

Now give your new report a Name and Description. Then select the data source, or the type of appliance from which the log file was retrieved:


In this list there are in fact 20 network security solutions to choose from, from 13 vendors. Each solution vendor or device may have a different log file format which will dictate how the logs are analyzed. The vendors and appliances listed are:
  • Blue Coat ProxySG - Access log W3C
  • CheckPoint
  • Cisco ASA Firewall
  • Cisco FWSM
  • Cisco IronPort WSA
  • Cisco ScanSafe
  • Cisco Meraki - URLs log
  • Dell SonicWALL
  • Fortinet FortiGate
  • Juniper SRX
  • McAfee Web Gateway
  • Microsoft ForeFront Threat Management Gateway (W3C)
  • Palo Alto PA Series Firewall
  • Sophos Cyberoam Web Filter and Firewall log
  • Sophos SG
  • Squid Common
  • Squid Native
  • Websense Web Security solutions - Internet Activity Log (CEF)
  • Websense Web Security Solutions - Investigate detail report (CSV)
  • Zscaler
...and then there is an Other (unsupported log format) option as well, if you have some other solution in your network.

Report Processing
Once you've selected your solution type, you click Browse, select your log file and upload it for processing. You may upload multiple log files at once. Once uploaded, ASM will process the file to analyse traffic going through your network security solution and produce the Discovery Dashboard. This process can take a few minutes, but it will let you know once that processing is complete.


Report Ready
Once complete, your report will show a status of Ready and you'll be able to view the analytics and insights provided by the dashboard.


Limitations
Note: There are some limits on the log files that ASM will process that are important to remember:
  • Each log file may be up to 1 GB in size.
  • Uploading a log file is an entirely manual process. There is no PowerShell available at this time to start the upload, nor to access any ASM functions. So the log file upload process cannot be automated unfortunately.
  • You may only have 10 reports at a time. If you already have 10 and try to create an 11th, you will be told to first delete one of your existing reports.
  • As your report ages, any entries that are older than 90 days will be removed from the report and dashboard results. This time period cannot be adjusted at this time.
  • Entries in log files that are older than 90 days will be ignored. If your entire log file is older than 90 days, ASM will still attempt to process it upon upload but the result will be an expired report which you will not be able to view, as shown here:


Analysing and Categorizing Cloud Apps

When log files are analyzed by ASM, the traffic is not only categorized by the type of cloud app (like cloud storage or social media), but ASM will recognize the individual cloud apps and let you know exactly which ones your end users are accessing. The larger Cloud App Security (CAS) solution has a catalog of almost 15,000 cloud apps that it will identify. However, a subset of those apps are recognized as 'productivity apps' and it is that subset of over 1,000 apps that ASM will identify. This list is actually a growing list, and Microsoft has a team of people working on increasing it through both manual and automatic methods. Microsoft is committed to support new apps in their catalog as soon as possible.

If you have a cloud app that you know is in use and is not yet recognized by ASM, you can request that Microsoft investigate it and potentially add it to the catalog. This is typically done by opening a support request through the ASM portal (question mark on the top right of the page). When creating a service request, you'll need to select "Cloud App Security" under the Create a Service Request list.



Analyzing and providing a quick view into which cloud apps are in fact in use by end users can really help you to determine if Shadow IT is at play in your organization, and exactly how much data is moving to cloud hosted solutions which may not be IT approved. This can provide great visibility to IT and InfoSec teams, helping them to work with end users and business units to ensure they are using the corporate approved solutions and not exposing the organization to risk.

Sample Log Files for Trialing the Discovery Dashboard

Another great feature that's built into the Discovery Dashboard is that it provides sample log files for you to trial and learn about the insights this feature can provide. You can access the sample logs by following the process described above for creating a new snapshot report, and when you get to the page where you give your report a name and description, select the type of Data Source from the dropdown and then click the "View and verify..." link:


You'll then see a page that describes the log format required by that solution in some detail. On that page, click the "Download sample log" button. You'll download a log file to your desktop, which you can then use to create a sample snapshot report.


The log file will download as a ZIP file, which you'll have to save locally, unzip and then start the process once again to create a snapshot report. The log file downloaded will follow the proper format for the Data Source selected (the solution vendor and type). So follow the process outlined above to create a new snapshot report once again using the sample log and choose that same data source the next time through.

These sample files are updated each week so that they stay fresh and do not result in expired reports (older than 90 days).

A Tour of the Productivity App Discovery Dashboard

Once you've created a snapshot report, as described above, you can access the Discovery Dashboard to get an overview of the analysis performed on our log files.


Selecting a Report
You can select which snapshot report you're viewing on the top right corner of the screen:



Traffic Statistics
On the top left of the Discovery Dashboard we're presented with statistics about:
  • number of apps analyzed
  • number of users referenced within my network security solution's log file
  • number of IP addresses analyzed
  • amount of network traffic analyzed
Remember, these statistics are only from log file entries that are not older than 90 days.


As you can see, the amount of traffic that went through the network security solution is shown, and its broken up by the amount of traffic uploaded (red arrow) versus downloaded (black arrow).

Cloud Apps and Categories
Moving a little further down the page on the left side, we can see the categories of cloud apps and the apps that are themselves in use. In our top table on the left, ASM has categorized the cloud applications found in my log file into the categories shown here. This gives us a quick view into the type of cloud apps in use by users, or the capability which that cloud app offers to users. It also shows the total amount of data transmitted through that cloud app. For example, in this case we can see that 2.3 GB has been exchanged with cloud storage solutions (Box, Dropbox, etc.) and only 4 MB has been exchanged with social media cloud based apps (Twitter, Facebook, etc.).


On the bottom table on the left, we see the actual cloud apps that are most in use in my organization along with the amount of traffic generated for each (in this case OneDrive for Business, Box, Skype for Business, Office 365 and Exchange). However, I can see right beside the "Discovered apps" label that there were in fact 116 different cloud apps found going through my network device. I can use the dropdowns above that table to view the other categories of cloud apps as well. So if we select social networks from the list, I see the apps that found in my log which fall into that category, no matter how small the amount of data.



As well, you can easily include or exclude Office 365 traffic from these graphs by unchecking or deselecting "Office 365". So, if Office 365 is a corporate standard collaboration solution this allows you to easily focus on other cloud apps which may not be approved.

Risk Levels, Traffic Locations and Exporting Data
Finally, in the diagrams on the right side of the page, ASM provides a risk score for the traffic analyzed and a map of where the traffic is originating. We can see in the following that after analyzing 2.7 GB in total that 4 KB is considered high risk traffic, 83 MB is considered medium risk and 2.6 GB is considered low risk. I can see these numbers by hovering over each slice of the pie. I can also see a world map in this section of the dashboard which gives me a quick view into where the traffic going through my network is originating from - the map is generated by the IP addresses found in my log file.






The risk level shown for the various types of traffic is based on intelligence and heuristics that ASM uses from the Microsoft Security Graph in its analysis to determine if risky IP addresses or non-reputable cloud apps are being accessed through your network. This integration of intelligence from the Microsoft Security Graph is one of the major benefits of ASM over the other built-in security tools in Office 365.

You can learn more about Microsoft's intelligent security graph here: https://blogs.microsoft.com/microsoftsecure/2016/07/21/new-microsoft-azure-security-capabilities-now-available/.

If I want to review the specific risk details by clicking "View risk details" we are unfortunately told that I need the Cloud App Security solution to do that:


I can adjust this graph through the dropdown to instead focus on apps, Apps, Users, IP Addresses, Upload Traffic and Transactions. On each graphic on the dashboard, I can also click the little grey downwards arrow to download a CSV file of the traffic details shown in the graph. The CSV file is relatively simple but can be useful when we need to generate reports for others in the organization.



Automatic Log File Upload and Cloud App Security

The Productivity App Discovery Dashboard is a great solution for analyzing traffic going your network and understanding which cloud apps end users are making use of. It can provide IT and InfoSec teams with the information they need to determine if Shadow IT as at work in their organization, and give them intelligence they can use to work with end users and business groups to ensure they're following corporate policy for cloud based collaboration.

As mentioned above, the upload of log files is a manual process and we're limited to having 10 reports in the dashboard at a time. I think this can still be a beneficial solution to enterprises in circumstances where you want to perform adhoc analysis a firewall or network security log, as part of a regular IT security audit or when investigating suspicious network activity. If you want to make ongoing use of this capability however and have log files uploaded automatically then for now you'll need to upgrade to the larger Cloud App Security solution from Microsoft. You can learn more about Cloud App Security here What Is Cloud App Security, and I may also cover it more in a future post.

What's Next

This post was a fairly thorough review of the Productivity App Discovery Dashboard feature within Office 365 Advanced Security Management.

The next post in this series will look at how security policies and alerts are in fact configured and how they work within ASM.

Enjoy.
-Antonio

92 comments:

  1. Great Post!
    You seem to have the same issue as me:
    "If I want to review the specific risk details by clicking "View risk details" we are unfortunately told that I need the Cloud App Security solution to do that"...
    Any idea why this message appears? Is there another licensing level that provides this drill down capability? The dashboard is great but I can't drill into the underlying data?
    All the info I can find states that Cloud App Security is included with O365 E5 license. I'm currently running a trial of E5 license.

    ReplyDelete
  2. I have read your article, it is very informative and helpful for me.I admire the valuable information you offer in your articles. Thanks for posting it..
    Time management

    ReplyDelete
  3. thanks for sharing your valuable details.it's very nice blog.same time it's very helpful article web design company in velachery

    ReplyDelete
  4. Business Analytics Certification Course Overview
    The Professional Certification in Business Analytics is a foundation course for students and professionals who want to develop niche data skills for their chosen industry domain or function area. Become a Business Intelligence and Data Visualisation expert and surge ahead in your career. The nine-day Business Analytics certification course covers all the essential Analytical and Statistical techniques for effective business decision making. This programme introduces the student to the basic concepts of Python language.
    business analytics certification

    ReplyDelete
  5. The post is written in very a good manner and it contains many useful information for me.


    gexton cctv monitiring

    ReplyDelete
  6. Thanks For sharing this Superb article.I use this Article to show my assignment in college.it is useful For me Great Work. security license check

    ReplyDelete
  7. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. security guard

    ReplyDelete
  8. A debt of gratitude is in order for the blog entry amigo! Keep them coming... friends t shirt

    ReplyDelete
  9. The young boys ended up stimulated to read through them and now have unquestionably been having fun with these things.
    Best Project Management Software

    ReplyDelete
  10. I’m excited to uncover this page. I need to to thank you for ones time for this particularly fantastic read !! I definitely really liked every part of it and i also have you saved to fav to look at new information in your site. bluetooth earphones for running

    ReplyDelete
  11. It’s good to check this kind of website. I think I would so much from you. eliquid manufacturer and distributor

    ReplyDelete
  12. Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! red led eyes for mask

    ReplyDelete
  13. wow... what a great blog, this writter who wrote this article it's realy a great blogger, this article so inspiring me to be a better person raw spirulina, living spirulina

    ReplyDelete
  14. I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You. dominique cosmetics

    ReplyDelete
  15. I really enjoyed reading this post, big fan. Keep up the good work andplease tell me when can you publish more articles or where can I read more on the subject? Site

    ReplyDelete
  16. That is very helpful for increasing my knowledge in this field. aftermarket wheels

    ReplyDelete
  17. With more and more information coming onto the internet everyday, it became harder to go through or find the exact sort of data that was required by an individual. 360DigiTMG data science course in hyderabad

    ReplyDelete
  18. This is my first time visit to your blog and I am very interested in the articles that you serve. Provide enough knowledge for me. Thank you for sharing useful and don't forget, keep sharing useful info:SQL Training in Gurgaon
    Advanced Excel /VBA training in Gurgaon

    ReplyDelete
  19. I love the way you write and share your niche! Very interesting and different! Keep it coming! gym clothing

    ReplyDelete
  20. I must admit that your post is really interesting. I have spent a lot of my spare time reading your content. Thank you a lot! Treasure at tampines condo

    ReplyDelete
  21. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up.
    Best Data Science Courses in Hyderabad

    ReplyDelete
  22. Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming. Fitness

    ReplyDelete
  23. I think about it is most required for making more on this get engaged webdesign Shoreline WA

    ReplyDelete
  24. I am hoping the same best effort from you in the future as well. In fact your creative writing skills has inspired me. Ceremonial Cacao

    ReplyDelete
  25. Great Article it its really informative and innovative keep us posted with new updates. its was really valuable. thanks a lot. parenting

    ReplyDelete
  26. it was a wonderful chance to visit this kind of site and I am happy to know. thank you so much for giving us a chance to have this opportunity.. Vape

    ReplyDelete
  27. I wish more writers of this sort of substance would take the time you did to explore and compose so well. I am exceptionally awed with your vision and knowledge. kitchen exhaust cleaning

    ReplyDelete
  28. Hi to everybody, here everyone is sharing such knowledge, so it’s fastidious to see this site, and I used to visit this blog daily information Bahamas

    ReplyDelete
  29. Houston Home Security Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our.

    ReplyDelete
  30. This is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the good work. I have been meaning to write something like this on my website and you have given me an idea. cargador de teléfono inteligente

    ReplyDelete
  31. I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You. 3D custom pop up cards

    ReplyDelete
  32. I think about it is most required for making more on this get engaged CBD TOPICALS

    ReplyDelete
  33. Amazing product thanks for sharing with us It is very informative. If you need any type of boxes you can visit the link.
    packaging companies in usa
    paper box for Bath Bomb

    ReplyDelete
  34. It is perfect time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you could write next articles referring to this article. I want to read more things about it! black crossbody bag with silver studs

    ReplyDelete
  35. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. Alphabet flashcards for children

    ReplyDelete
  36. The worst part of it was that the software only worked intermittently and the data was not accurate. You obviously canot confront anyone about what you have discovered if the information is not right. self soothing items

    ReplyDelete
  37. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. best email hosting

    ReplyDelete
  38. You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it! how to make money blogging

    ReplyDelete
  39. Thank you for sharing excellent information. Your website is so cool. I am impressed by the details that you've on this website. It reveals how nicely you perceive this subject. Bookmarked this web page, will come back for more articles. You, my friend, ROCK! I found simply the information I already searched everywhere and just couldn't come across. What an ideal website. I must say, I thought this was a pretty interesting read when it comes to this topic. Liked the material cheap minecraft server hosting uk

    ReplyDelete
  40. I see the best substance on your blog and I unbelievably love getting them.
    DevOps Training in Hyderabad
    DevOps Course in Hyderabad

    ReplyDelete
  41. yhe bp doctor smartwatch Have a smart watch that you can use for exercise and daily life

    ReplyDelete
  42. bp doctor 3.0 pro wearable blood pressure smartwatch If you want to find an accurate fitness tracker, just try this smartwatch.

    ReplyDelete
  43. It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it! baby clothing

    ReplyDelete
  44. I like the way you express information to us. Thanks for such post and please keep it up. john wayne vest

    ReplyDelete
  45. Thanks for sharing the post.
    https://naveedadigital.com/
    https://naveedadigital.com/seo-freelancer-in-bangalore/
    https://naveedadigital.com/social-media-marketing-freelancer-in-bangalore/

    ReplyDelete
  46. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Just saying thanks will not just be sufficient, for the fantasti c lucidity in your writing. I will instantly grab your rss feed to stay informed of any updates. liquor home delivery near me

    ReplyDelete
  47. Personally I think overjoyed I discovered the blogs. home builders in mississippi

    ReplyDelete
  48. A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one law firms in oxford

    ReplyDelete
  49. i am for the first time here. I found this board and I in finding It truly helpful & it helped me out a lot. I hope to present something back and help others such as you helped me. Affordable Local SEO Services

    ReplyDelete
  50. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also. digital marketing near me

    ReplyDelete
  51. This is great collection of shotguns at British shooting show. Kit Harington Eternals Jacket

    ReplyDelete
  52. Our the purpose is to share the reviews about the latest Jackets,Coats and Vests also share the related Movies,Gaming, Casual,Faux Leather and Leather materials available General Kirigan Coat

    ReplyDelete
  53. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing. Seminarraum

    ReplyDelete
  54. You might comment on the order system of the blog. You should chat it's splendid. Your blog audit would swell up your visitors. I was very pleased to find this site.I wanted to thank you for this great read!! web design agency

    ReplyDelete
  55. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also. Affordable Local SEO Services

    ReplyDelete
  56. The article posted was very informative and useful. You people are doing a great job. Keep going. Liquor Store Mississippi

    ReplyDelete
  57. Going to graduate school was a positive decision for me. I enjoyed the coursework, the presentations, the fellow students, and the professors. And since my company reimbursed 100% of the tuition, the only cost that I had to pay on my own was for books and supplies. Otherwise, I received a free master’s degree. All that I had to invest was my time. Shop

    ReplyDelete
  58. Thanks for the best blog. it was very useful for me.keep sharing such ideas in the future as well. Oxford Insurance Agency

    ReplyDelete
  59. I think I have never seen such blogs ever before that has complete things with all details which I want. So kindly update this ever for us. Tito's Distilled

    ReplyDelete
  60. This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post! mediation services

    ReplyDelete
  61. I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job ! Roof Replacement Near Me

    ReplyDelete
  62. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Health Insurance for Startups

    ReplyDelete
  63. Really appreciate this wonderful post that you have provided for us.Great site and a great topic as well i really get amazed to read this. Its really good. merchant cost consulting

    ReplyDelete
  64. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Construction Jobs

    ReplyDelete
  65. This is a splendid website! I"m extremely content with the remarks!. Best real estate agent near me

    ReplyDelete
  66. Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written. bondage

    ReplyDelete
  67. I read this article. I think You put a lot of effort to create this article. I appreciate your work. Captain America Civil War Steve Rogers Leather Jacket

    ReplyDelete
  68. I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts. Otoño Invierno

    ReplyDelete
  69. Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. mellow fellow delta 8

    ReplyDelete
  70. this blog was really great, never seen a great blog like this before. i think im gonna share this to my friends.. location cabine photo mariage paris

    ReplyDelete
  71. If you don"t mind proceed with this extraordinary work and I anticipate a greater amount of your magnificent blog entries builder Oxford

    ReplyDelete
  72. Nice blog post so thanks a lot for sharing this great blog post.. keep more post for sharing.. have a nice day.
    Temporary Resident Permit in Canada

    ReplyDelete
  73. We are looking for an informative post it is very helpful thanks for sharing it. We are offering all types of leather jackets with worldwide free shipping.
    Harley Davidson Jacket
    Western Leather Jackets
    Studded Leather Jacket
    Leather Motorcycle Jackets

    ReplyDelete
  74. With so many books and articles coming up to give gateway to make-money-online field and confusing reader even more on the actual way of earning money, ηλιακα

    ReplyDelete
  75. Despite the fact that the majority of people all over the world are familiar with the topic of Green carpet cleaning Oc services, this is a job that is done by a team of specialists from cleaning service providers. It's also worth noting that every commercial facility and every residence are required to have these services performed every three years.

    ReplyDelete
  76. A savoury beef mixture and a layer of creamy mashed potatoes are usually used to make the comfort dish known as cottage pie. To explore a healthier option, the usual mashed potato topping will be swapped out for a filling layer of sweet potatoes in this contemporary take on the traditional recipe. As a consequence, a delicious and nutritious dish is created that still has all the comforting flavours of a classic cottage pie while also offering extra nutritional advantages.

    ReplyDelete
  77. The Noglin may be found all across the world of Ark: Genesis Evolved, however it can be found there most frequently in the Genesis Part 2 expansion's Lunar biome. Danger abounds in this alien setting, from the arid landscape to the ferocious inhabitants. The Noglin, however, is a potent reward for those who have the courage to enter the Lunar environment.

    ReplyDelete
  78. I loved the information given above, I appreciate the writing. Unlock your full potential in Class 12 Accountancy and Physics with Ziyyara Edutech's online tuition for Class 12. Our expert tutors are dedicated to providing top-notch education tailored to your needs.
    Book A Free Demo Today visit physics class 12 online tuition

    ReplyDelete
  79. Woah this blog is wonderful i like studying your posts. Keep up the great work! Dive into the world of language mastery with Ziyyara’s unparalleled online home tuition services in Bahrain.
    Book a free demo today. English lessons for beginners in bahrain

    ReplyDelete