Microsoft Cloud App Security topics Microsoft Cloud App Security topics Tue, 26 Oct 2021 18:26:55 GMT MicrosoftCloudAppSecurity 2021-10-26T18:26:55Z Consequences of MCAS Service Failure <P>Are there any scenarios in which failures of MCAS services would prevent people from accessing their applications?</P> Fri, 15 Oct 2021 18:36:26 GMT Dean Gross 2021-10-15T18:36:26Z About MCAS access policy <P>&nbsp;</P><P>This is my first post here.Nice to meet you.</P><P>&nbsp;</P><P>Is it possible to restrict which browsers can access Microsoft 365 with MCAS access policy?</P><P>I'd like to limit it to Edge, Chrome and Safari if possible.</P><P>&nbsp;</P><P>I appreciate everyone's help.</P><P>※This is a translation, so it may not be natural.</P> Wed, 06 Oct 2021 13:05:07 GMT Hayato_Kimura 2021-10-06T13:05:07Z DLP created in compliance center do not populat in MCAS I create a DLP policy through the Compliance center, and I am waiting more then 5 hours and its still doesn't&amp;nbsp; populate in MCAS as a policy.<BR /><BR />Any suggestion Whay? Mon, 27 Sep 2021 19:42:58 GMT janshalom 2021-09-27T19:42:58Z How to restrict access to D365 Customer Insights to company network (IP range) <P>Hi,</P><P>&nbsp;</P><P>I'd like to ask if anyone here knows a way to <STRONG>restrict access to </STRONG>the <STRONG>Customer Insights</STRONG> app so that users can access this cloud app <STRONG>only if they are doing it from within our own network?</STRONG></P><P>&nbsp;</P><P>We were able to set up an AAD Conditional Access policy to achieve this for other Dynamics 365 apps by restricting access for the Common Data Service. But I don't find an appropriate app to select for restriction of Customer Insights. Do we have to restrict something different to achieve this or do we have to use another feature or is it not possible to do what we want?</P><P>&nbsp;</P><P>Our data protection officer told us that we have to seal our D365 cloud apps off first before we may upload sensitive customer data to/through it. That way we can easily make sure (more or less) that users use controlled devices and controlled client apps and filtered LAN/VPN that prohibits them from accidentally or&nbsp;intentionally leaking sensitive data to other services etc.</P><P>&nbsp;</P><P>I appreciate every hint. Thanks in advance.</P><P>Roberto</P> Mon, 27 Sep 2021 01:22:10 GMT reroberto 2021-09-27T01:22:10Z Malware Detection <P>What is there reason that the Built-in&nbsp;Malware Detection Policy is disable by default?</P> Sun, 26 Sep 2021 13:11:54 GMT janshalom 2021-09-26T13:11:54Z Using Powershell to run MCAS REST API. Limit issues <P>Hi all,</P><P>&nbsp;</P><P>I am working on using the MCAS REST API via powershell to retrieve activities from one user. I have been able to get a powershell script to run successfully but i have issues raising the limit of records to 5000.</P><P>By default it is 100 but using the Scanning mode (isScan = "true") feature in the filter section, i am able to get 500 but not 5000.</P><P>&nbsp;</P><P>Firstly, does anyone use powershell to perform their REST API call? is there a easier way? I cannot install python on my device so only have what is standard on Windows.</P><P>&nbsp;</P><P>Secondly, can anyone help me on how to raise the limit to 5000 (or more if possible)?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Sep 2021 22:03:31 GMT O_A41 2021-09-24T22:03:31Z Cloud apps and azure portal slow when using cloud app security <P>Is it just me or is cloud apps getting super slow when using cloud app security?<BR />When i open sentinel an search the site loads super slow, when i remove cloud app security ( it becomes snappy again</P> Fri, 24 Sep 2021 11:02:54 GMT honey4sec 2021-09-24T11:02:54Z mcas - malware detection policy <P>Hi all,</P><P>just wondering whether or not the malware detection policy is just a "detection" policy :)</img> with no remediation or mitigation impact on the related findings. In other words, once the policy found suspicious files containing malware within SpO or OfB, it only alerts within mcas, but does nothing more on that file like moving to quarantine or similar.</P><P>Am I right?</P><P>Thank you</P><P>Thomas&nbsp;</P> Thu, 23 Sep 2021 09:45:18 GMT ThomasHoehner 2021-09-23T09:45:18Z How to integrate Squid proxy with MCAS? <P>Hello Everyone,</P><P>&nbsp;</P><P>Can somebody help me understand this?</P><P>&nbsp;</P><P>Is it possible to integrate Squid proxy with MCAS? If yes, please share the steps.</P><P>&nbsp;</P><P>Is proxy replaceable to log collector results?( can we achieve full discovery with the help of proxy integration instead of having log collectors since we are facing too many issues with log collectors now a days)&nbsp;</P><P>&nbsp;</P><P>I would be thankful for a kind response on this.</P><P>&nbsp;</P><P>Warm regards,</P><P>Mahesh.</P> Tue, 21 Sep 2021 01:39:54 GMT maheshcapj 2021-09-21T01:39:54Z MCAS Collector - Error Reading Configuration <P>Hi All</P><P>&nbsp;</P><P>I'm trying to deploy the MCAS Log Collector on Docker (Windows Server 2019 DC - Hyper-V) following the below document but when the container spins up it gives and error stating "Error Reading Configuration".</P><P>&nbsp;</P><P>The only similar instance I've been able to find has been <A href="" target="_blank" rel="noopener">here</A> but that just says try Ubuntu which isn't an option (full windows house).</P><P>&nbsp;</P><P>Has anyone come across a similar issue?</P><P>&nbsp;</P><P>Cheers!</P> Thu, 16 Sep 2021 17:09:43 GMT equinn86 2021-09-16T17:09:43Z MCAS log ingestion deployment modes( Log collector vs MDE) <P>Hello techies,</P><P>&nbsp;</P><P>Hope you all doing well and keeping safe during this unprecedented timings!!</P><P>&nbsp;</P><P>I have couple of queries regarding log deployment modes. Please help me understand.</P><P>&nbsp;</P><P>As part of transition we have been requested to support for one of our clients. In the current ecosystem log ingestion is being happened through native MDE integration and via log collectors( Docker image on Linux in Azure)</P><P>&nbsp;</P><P>1. When we are able to discover the data from MDE, why should we have log collector deployment inplace? I believe with the help of log collectors only, we can able to replicate the cloud discovery resource details( statistics for platform security i.e storage account transactions ) please correct me if i am wrong.</P><P>&nbsp;</P><P>2. If we ingest the data from both mde and through log collector servers will it be treated as redundant logs from MCAS side? how will it be processed the data?</P><P>&nbsp;</P><P>3. Log collectors are showing offline since Sep4th 2021. But last parsed log is showing as sep 14th? So there is 10 days of delay in processing the data from log collectors to MCAS? Why it is taking 10 days time period because, we would be in a blind spot from security standpoint?</P><P>&nbsp;</P><P>Can somebody please help me understand the above queries?</P><P>&nbsp;</P><P>Looking forward to hearing for these queries please?</P><P>&nbsp;</P><P>Thank you,</P><P>Mahesh.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 15 Sep 2021 10:33:17 GMT maheshcapj 2021-09-15T10:33:17Z MCAS integration with Sentinel - All old alerts generated incidents in sentinel <P>Hi&nbsp;</P><P>&nbsp;</P><P>I have observed some unusual behaviour from MCAS and Sentinel integration. Based on attached screenshot, you can see that there are bulk of incident generated in Azure sentinel that are forwarded from MCAS. Most of these alerts are old dated (5 Months old). Most of these alerts are closed in MCAS already. Not sure why it dumped all the alerts on sentinel.&nbsp;</P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Deepanshu_Marwah_1-1631529237155.png" style="width: 400px;"><img src=";px=400" role="button" title="Deepanshu_Marwah_1-1631529237155.png" alt="Deepanshu_Marwah_1-1631529237155.png" /></span></P><P>This behaviour has been observed couple of times. Anyone else faced similar issue?</P><P>&nbsp;</P> Mon, 13 Sep 2021 10:36:48 GMT Deepanshu_Marwah 2021-09-13T10:36:48Z MDATP in passive mode Hello everyone,<BR /><BR />I am currently using 3rd party AV, will having MDATP installed in passive mode allows blocking unsanctioned apps ? Sat, 11 Sep 2021 21:18:20 GMT Makkouk11 2021-09-11T21:18:20Z Gmail cloud Hello everyone,<BR />Please just a quick question, i was able to connect successfully my google work space APIs to MCAS.<BR />My question is that i am only able to have visibility and control over Google Drive but not gmail, please can any body help me in this, thanks. Sat, 11 Sep 2021 21:16:09 GMT Makkouk11 2021-09-11T21:16:09Z MCAS [Activity Policy] Log on from an outdated browser - current Teams client triggers alert <P>TLDR: Microsoft Teams client triggers 'Log on from an outdated browser' alert policy&nbsp;<img class="lia-deferred-image lia-image-emoji" src="" alt=":sad:" title=":sad:" /></P><P>&nbsp;</P><P>After enabling the MCAS - Activity Policy - 'Log on from an outdated browser' our current up-to-date desktop Teams client triggers the alert. I spent quite some time with the user discussing their configuration and thankfully a colleague correlated the 'Sign-in Logs' from the AAD blade and we could see the below 'User Agent's from the same workstation:</P><UL><LI>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/ Chrome/85.0.4183.121 Electron/10.4.3 Safari/537.36</LI><LI>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</LI></UL><P>The latest production release of Teams is 'Teams/' and it is evidently running Chrome/85.0.4183.121 (Chromium) in the back end which is flagged in the 'User agent tags' of the alert as 'Outdated browser'.</P><P>&nbsp;</P><P>The default template should exempt this use case.</P><P>&nbsp;</P><P>Knowing the above I've attempted to add an additional filter 'User Agent String' and 'does not contain' 'Teams' - this has no affect on the results leaving me with the suspicion that the full user agent string as above is not passed through. If this is the case then why is it an available filter?</P><P>&nbsp;</P><P>It would be great to see this addressed or advice on what I've missed to get this working.</P><P>&nbsp;</P><P>Thanks</P> Wed, 08 Sep 2021 04:29:03 GMT UCDWraith 2021-09-08T04:29:03Z MCAS Impossible Travel alert AND original O365 Impossible Travel alert <P>Hello,&nbsp;</P><P>&nbsp;</P><P>we have O365 security center sending alerts to our 3rd party SIEM through the management API.</P><P>MCAS sees the same O365 alert - when MCAS is integrated with the SIEM, will both alerts be seen by the SIEM?&nbsp;&nbsp;</P> Tue, 07 Sep 2021 14:36:14 GMT DJB 2021-09-07T14:36:14Z Supported firewall without delivering usernames? <P>Hi there,<BR /><BR />currently I'm struggling with the first tests in MCAS. I'm executing the tests in my DEV tenant or in a customer tenant. In both I have no possibility to use Defender for Endpoint. So I'm relying on the firewall logs.<BR /><BR />So I already tested with the continuous logfile upload via logfile collector. But the results are never sufficient. I already found the&nbsp;<A title="troubleshooting guide for log parsing errors" href="#" target="_self">troubleshooting guide for log parsing errors</A>&nbsp;, but it is not helpful for an "internal error".</P><P><BR />But I wondered, why are there so many firewalls without having the usernames in the Syslog beeing supported by MCAS?<BR /><A href="#" target="_self">Supported firewalls and proxies</A><BR /><BR />Shouldn't be the username one of the main criteria to visualize senseful data in MCAS?<BR />If you are able to successfully upload firewall data without usernames, how do the results look like?<BR /><BR />Kind regards,<BR />woelki<BR />&nbsp;</P><P>&nbsp;</P> Tue, 31 Aug 2021 12:08:21 GMT woelki 2021-08-31T12:08:21Z Missing Cloud Discovery Executive report <DIV class="yj-message-list-item--body yj-message-body"><DIV class="yj-message-body"><DIV class="y-block yj-message-content"><DIV class="y-block--inner css-45"><P>Has anyone else noticed that Cloud Discovery Executive report is no longer available in MCAS on the Cloud Discovery page, <A title="" href="#" target="_blank" rel="nofollow noopener noreferrer">Working with discovered apps in Cloud App Security | Microsoft Docs</A></P></DIV></DIV></DIV></DIV> Thu, 26 Aug 2021 12:00:00 GMT Dean Gross 2021-08-26T12:00:00Z Cloud Discovery Executive Report <P>On the Cloud Discovery Executive Report is there a way to send that out via email to multiple users on a weekly basis?</P> Wed, 25 Aug 2021 19:37:24 GMT Dean Gross 2021-08-25T19:37:24Z Application added to cloud app security <P>I added Zendesk to cloud app security using the method below. I can see the app in "cloud app security" however when i click on the app, and then "activity Log" i only see one user accessing the app. This is a heavily used application, so im trying to understand why i only see one user ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1629215806414.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1629215806414.png" alt="Skipster3111_0-1629215806414.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 17 Aug 2021 15:58:09 GMT Skipster311-1 2021-08-17T15:58:09Z Trying to understand the difference cloud app security <P>Hello</P><P>&nbsp;</P><P>I am trying to understand the difference between adding an application to "cloud app security" by searching "Cloud Discovery" for the app and selecting "Use with conditional access app control" vs. creating a CA policy for the app and selecting "Use conditional Access App control" ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1629213730943.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1629213730943.png" alt="Skipster3111_0-1629213730943.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_1-1629213839488.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_1-1629213839488.png" alt="Skipster3111_1-1629213839488.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 17 Aug 2021 15:24:24 GMT Skipster311-1 2021-08-17T15:24:24Z Trying to get an app into cloud app discovery <P>Hello</P><P>We use an app called "OfficeSpace" I can see this app in "Cloud Discovery". I am trying to get the app added to "cloud app security" . Per the screen shot below , i have selected "use with CA app Control" , however i still dont see the app in cloud app security.&nbsp; Any help is appreciated.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1629213523852.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1629213523852.png" alt="Skipster3111_0-1629213523852.png" /></span></P><P>&nbsp;</P> Tue, 17 Aug 2021 15:20:06 GMT Skipster311-1 2021-08-17T15:20:06Z We are unable to see the discovered apps dashboard details in MCAS console <P>Hello Everyone,</P><P>&nbsp;</P><P>Trust you are all safe and well during this pandemic.</P><P>&nbsp;</P><P>Can somebody please help me to understand why data is not reflecting in the below dashboard?</P><P>&nbsp;</P><P>1.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Maheswararaju_1-1628862686279.png" style="width: 400px;"><img src=";px=400" role="button" title="Maheswararaju_1-1628862686279.png" alt="Maheswararaju_1-1628862686279.png" /></span></P><P>&nbsp;</P><P>Is there any plan to enhance the UI functionalities from MS side and is this part of it?</P><P>&nbsp;</P><P>Looking forward to know this.</P><P>&nbsp;</P><P>Thank you,</P><P>Kind regards,</P><P>Maheswara.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 13 Aug 2021 13:54:37 GMT Maheswararaju 2021-08-13T13:54:37Z Import user group stuck on "Importing" <P>I have tried importing 3 different AAD security groups using the user import functionality in MCAS so I can then build policies based on membership on those groups. However, the groups I have tried importing get stuck in an "Importing" state for several hours, and it one case even past 24 hours. I removed the one that never synced and decided to restart the process and selected two other security groups (only 3 accounts each) and it's now been several hours for the one on the bottom.<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HectorPerez_0-1628806127991.png" style="width: 400px;"><img src=";px=400" role="button" title="HectorPerez_0-1628806127991.png" alt="HectorPerez_0-1628806127991.png" /></span></P><P>&nbsp;</P><P>Has anyone had this happen to them or have any idea why this is taking so long?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 12 Aug 2021 22:19:47 GMT Hector Perez 2021-08-12T22:19:47Z Cloud app catalog <P>Is there a way to export the cloud app catalog?&nbsp; My firm desires we go with a 'deny by default' model for SAAS applications.&nbsp; The intent would be to examine the discovered apps, sanction the most commonly used, and then use this as the basis of a white list, while black listing other SaaS applications using the cloud app catalog as the best source of SaaS we have.&nbsp; As far as I can see, the exportation abilities are only for discovered apps.</P> Wed, 11 Aug 2021 15:21:46 GMT carpa4 2021-08-11T15:21:46Z Cloud app discovery discovered apps. Export users risk score <P>Hello</P><P>I can do an export based on my filter (risk score) but the export is not showing me the uses who are using the apps. How can i get the users exported ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1628618159651.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1628618159651.png" alt="Skipster3111_0-1628618159651.png" /></span></P><P>&nbsp;</P> Tue, 10 Aug 2021 17:57:09 GMT Skipster311-1 2021-08-10T17:57:09Z Cloud app Security client certificate <P>Hello all, i am following the below article on how to configure cloud app security to work with client certificates. I am currently using the demo cert that is called out in the article . The client cert has been added to the user cert store on the local machine, and the root cert was imported into cloud app security.&nbsp;</P><P>I have also tagged the device with "Valid client certificate"&nbsp; in endpoint manager,&nbsp;<BR />(per below)</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1628609764151.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1628609764151.png" alt="Skipster3111_0-1628609764151.png" /></span></P><P>&nbsp;</P><P>However when i do a search for all devices with tag - "Valid client certificate" i get back zero results. Need help understanding why cloud app security is not able to discover the device that i previously tagged ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_1-1628609899390.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_1-1628609899390.png" alt="Skipster3111_1-1628609899390.png" /></span></P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P> Tue, 10 Aug 2021 15:39:57 GMT Skipster311-1 2021-08-10T15:39:57Z Individual Power Apps Identification from 365 Defender? <P>Hi,</P><P>&nbsp;</P><P>I have configured 365 Defender Settings&gt;Endpoint&gt;Advanced features&gt;Cloud App security.</P><P>&nbsp;</P><P>And cloud app security is being fed from Defender but it has bundled the access to No.5 Canvas Power Apps as one. Is that expected behaviour, is there no way to segregate Power Apps by their App ID?&nbsp;</P><P>&nbsp;</P><P>Thanks, Richard</P> Mon, 09 Aug 2021 14:18:10 GMT Richard Collins 2021-08-09T14:18:10Z Autht cloud app security <P>Hello</P><P>I have setup an authentication context and published it to CA polices. The Authentication Context name is "trusted device". I created the CA policy per below . When i log into the application from a non trusted device, and do a copy and or paste, i should be getting prompted from cloud app security to step up authentication, but i dont. Any help is greatly appreciated</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1628283645094.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1628283645094.png" alt="Skipster3111_0-1628283645094.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_1-1628283666847.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_1-1628283666847.png" alt="Skipster3111_1-1628283666847.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_2-1628283691737.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_2-1628283691737.png" alt="Skipster3111_2-1628283691737.png" /></span></P><P>&nbsp;</P><P>In cloud app security i created session policy , category = "Compliance". Below are the settings</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_3-1628283859491.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_3-1628283859491.png" alt="Skipster3111_3-1628283859491.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_4-1628283876846.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_4-1628283876846.png" alt="Skipster3111_4-1628283876846.png" /></span></P><P>&nbsp;</P> Fri, 06 Aug 2021 21:07:24 GMT Skipster311-1 2021-08-06T21:07:24Z adding azure enterprise apps to cloud app security <P>Hello</P><P>&nbsp;</P><P>We have many saml enterprise apps that have been added to Azure enterprise apps. Some of the apps are accessed using a client app that's on the users mobile device. When looking at the default message in cloud app security, below its suggesting that the application can only be accessed from a browser. When people see this message , they associate "web browser" with desktop or laptop, not a mobile client app thats on a mobile device. I have tested this and against one of our saml apps "Zendesk" using the mobile client, and everything works, but considering every modern saml app has a mobile app, why would this be the default message ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1628179486957.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1628179486957.png" alt="Skipster3111_0-1628179486957.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 05 Aug 2021 16:10:22 GMT Skipster311-1 2021-08-05T16:10:22Z Cloud app security non-interactive <P>Does cloud app security detect and log non-interactive sign-on's ? When i look at the azure sign-in logs for a particular user, i can see the non interactive sign-on's, however trying to match this up or corelate this in cloud app security is proving to be difficult</P> Thu, 05 Aug 2021 15:42:35 GMT Skipster311-1 2021-08-05T15:42:35Z SharePoint List Log <P>Hi,</P><P>&nbsp;</P><P>Hoping someone can help me. I have MCAS running on my tenant and I'd like to create a query to report on a specific SharePoint list. The problem I have is when I do a Listviewed search it presents all lists of the SharePoint site collection. I have tried to drill down into the detail of each log via the JSON but I cant seen to find any consistency between the List ID and the name of the list.</P><P><BR />Can someone advise what the best way is to create a query to report on user activity for a SharePoint list please.</P><P>&nbsp;</P><P>Regards</P><P>Ben</P> Thu, 05 Aug 2021 15:36:37 GMT Ben123Digitally 2021-08-05T15:36:37Z EIN Regex for DLP <P>We are trying to create a new policy to detect Employer Identification Number (EIN). I'm very new to Regex so I need some help. We've tried the below regex and MCAS is showing me an error of:&nbsp;<SPAN class="ng-scope"><SPAN class="ng-binding">Capturing parenthesis not allowed in regular expression. Does anyone know how to convert the below regex to something without the capturing parentheses? Thanks!</SPAN></SPAN></P><P>&nbsp;</P><DIV>([07][1-7]|1[0-6]|2[0-7]|[35][0-9]|[468][0-8]|9[0-589])-?\d{7}</DIV><P>&nbsp;</P> Tue, 03 Aug 2021 17:36:44 GMT leichang77 2021-08-03T17:36:44Z Query on MCAS Unsanctioned application | Microsoft Live(IT services) <DIV class="votecell post-layout--left"><DIV class="js-voting-container d-flex jc-center fd-column ai-stretch gs4 fc-black-200"><DIV class="js-vote-count flex--item d-flex fd-column ai-center fc-black-500 fs-title"><SPAN><SPAN><SPAN>Recently I received a security Incident on my Microsoft Cloud Application Security(MCAS) portal<SPAN>&nbsp;Data exfiltration to an app that is not sanctioned<SPAN>&nbsp;<SPAN>When I drilled down, I found Microsoft Live application<SPAN>&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN><DIV class="postcell post-layout--right"><DIV class="s-prose js-post-body"><P>&nbsp;</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Deepanshu_Marwah_0-1627957604122.png" style="width: 400px;"><img src=";px=400" role="button" title="Deepanshu_Marwah_0-1627957604122.png" alt="Deepanshu_Marwah_0-1627957604122.png" /></span><P>&nbsp;</P><P><IMG border="0" /></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;<P><IMG border="0" /></P><P>Can anyone help me understand what is this application and why its showing data exfiltration incident?</P></DIV><P>&nbsp;</P><P>Also posted this query on&nbsp;<A href="#" target="_blank">azure - Query on MCAS Unsanctioned application | Microsoft Live(IT services) - Stack Overflow</A></P></DIV></DIV></DIV></DIV></DIV> Tue, 03 Aug 2021 02:27:49 GMT Deepanshu_Marwah 2021-08-03T02:27:49Z Conditional access app control differences <P>Hello</P><P>&nbsp;</P><P>I have a bunch of saml enterprise apps that have been added to Azure enterprise applications. Azure is the IDP for&nbsp; these apps. If i create a CA policy and add for example the "Docusign" app to "Use Conditional access app control" and select "Monitor" , after logging into the app i can now see the app in "Connected apps" in cloud app security. My question is what is the difference between adding "Docusign" using the wizard below vs. adding the app using a CA policy ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1627942520576.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1627942520576.png" alt="Skipster3111_0-1627942520576.png" /></span></P><P>&nbsp;</P> Mon, 02 Aug 2021 22:17:16 GMT Skipster311-1 2021-08-02T22:17:16Z Hunting query cloud app security score 1 to 3 users <P>Hello all</P><P>Can Advanced hunting be used to discover all cloud apps with a score between 1 and 3 and show me the users who are using each app?&nbsp;</P> Mon, 02 Aug 2021 21:20:33 GMT Skipster311-1 2021-08-02T21:20:33Z Conditional access app control vs. Conditional access <P>Hello all</P><P>&nbsp;</P><P>I'm trying to understand when i would use one vs. the other? On the surface it looks like "Conditional access app control" is used when i want to redirect my 3rd party saml apps to MCAS, and "Conditional access" in cloud app security only applies to the built in O365 apps ? Is this correct ?</P> Mon, 02 Aug 2021 15:22:35 GMT Skipster311-1 2021-08-02T15:22:35Z App Discovery - application criteria <P>Does anyone know if there is documented criteria that defines an application in the context of Cloud App Discovery - i.e. what criteria does the app have to meet to be defined as an app, that in turn means it shows up in the discovered apps list?</P><P>&nbsp;</P><P>An example of why I ask. I tested uploading data to Datto Workspace and within a few hours, Datto Workspace shows up as a new discovered app. I've then setup 'Synology Drive' on my NAS at home, which has a public DNS record, uses TLS and is arguably no different to Datto Workspace in the sense that I can logon and upload data. The difference is, this has not shown up as a discovered app in MCAS. MCAS has no record of the 6GB of test data that I uploaded to the NAS..</P><P>&nbsp;</P><P>Keen for any thoughts/advice.</P><P>&nbsp;</P><P>Thanks</P><P>Darren</P> Thu, 29 Jul 2021 00:27:40 GMT Darren_Bennett 2021-07-29T00:27:40Z OAuth apps permissions <P>Hello, is there a list of all possible permissions that can be detected in OAuth applications?</P><P>I can't find it in documentation and I think it would be very interesting to analyze the applications.</P><P>&nbsp;</P><P>Thank you and regards.</P> Wed, 28 Jul 2021 06:57:27 GMT smroci3 2021-07-28T06:57:27Z transfer MCAS settings from tenant to tenant and bulk set alert with email on policies <P>I work for a managed IT services provider and we already have a set of policies we choose to enable for email alerts and a few we create, set for email alerts and remediation based on the templates provided out of the box.</P><P>With every new client, I have to configure this from scratch which is quite time consuming. So my questions are:</P><P>1. Is there a way to bulk select policies and configure alert with email? similar to how you manage email accounts; you can bulk edit to add contact information.&nbsp;</P><P>2. Even better, is there a way to export the MCAS settings from one tenant and import it to another tenant?&nbsp;</P><P>&nbsp;</P><P>MCAS is a great tool but with more out of the box policies and templates being added, it's becoming very time consuming to click on each policy and configure. Hope the above options are available but I'm just not aware of it</P> Sun, 18 Jul 2021 04:31:29 GMT lastsight2000 2021-07-18T04:31:29Z XYZ files are marked as potential ransomware <P>We get a steady stream of alerts from users uploading files with .xyz extensions to M365. The majority of these we see are used by a software called matlab.</P><P>&nbsp;</P><P>Is there a way to not mark these files as potential ransomware? I understand there is a ransomware variant that uses the same file extension but we've never seen an instance where this alert is a true positive and we've has many false positives related to this specific extension and alert.&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Thu, 15 Jul 2021 18:20:24 GMT Michael_Perrin 2021-07-15T18:20:24Z Block upload of documents to other office 365 tenant <P>I wish to block upload of documents to Other Office 365 tenant on a managed device?</P><P>&nbsp;</P><P>Can this be achieved using MCAS</P> Thu, 15 Jul 2021 05:17:46 GMT krishnasembee 2021-07-15T05:17:46Z Alerts badge count not updating when closing alerts <P>Does the Open alerts badge count not update for others too when closing alerts?</P><P>Unless I do page refresh, the total number of alerts from when first started closing alerts does not update dynamically</P> Fri, 09 Jul 2021 06:44:10 GMT Gil Blumberg 2021-07-09T06:44:10Z How to get Sharepoint online into Conditional Access app Control <P>Hello</P><P>&nbsp;</P><P>What are the steps to add sharepoint online into&nbsp; Conditional Access app Control ? When i add a new app then search for Sharepoint i get the message below. When i click on the "start wizard" its asking me for saml xml data. Is this the proper way to add SharePoint online to&nbsp;Conditional Access app Control ?&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1625769056111.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1625769056111.png" alt="Skipster3111_0-1625769056111.png" /></span></P><P>&nbsp;</P> Thu, 08 Jul 2021 18:31:58 GMT Skipster311-1 2021-07-08T18:31:58Z Conditional Access app control <P>I have configured a CA policy to use a custom policy for CA app control. When i navigate to cloud app security and "Conditional Access App Control apps" and add an app, i search for Sharepoint. I then receive the message below. When i click "start wizard" its asking for a metadata file. Does this feature not work with O365 applications like SharePoint and Exchange online ? Also if i navigate to polices in MCAS, click on "Conditional access" and create a new session policy i receive the below message. Its asking me to first create CA app control , but as i previously mentioned its asking me for metadata file, but im trying to protect sharepoint online. Very confused here.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1625700867326.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_0-1625700867326.png" alt="Skipster3111_0-1625700867326.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_1-1625701066958.png" style="width: 400px;"><img src=";px=400" role="button" title="Skipster3111_1-1625701066958.png" alt="Skipster3111_1-1625701066958.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P> Wed, 07 Jul 2021 23:39:45 GMT Skipster311-1 2021-07-07T23:39:45Z Malware policy. How it works? <P>Hi, we would like to enable the Malware Detection Policy in MCAS but we don't really know how it works.</P><P>- Does&nbsp; this malware detection policy quarantine files by default when they are detected as a potential malicious file or only create an alert?</P><P>&nbsp;- What does the "File Sandboxing" option mean?</P><P>&nbsp;</P><P>Can you help us, please?</P><P>&nbsp;</P><P>Thanks in advance and regards.</P><P>&nbsp;</P><P>Have a good day.</P><P>&nbsp;</P> Wed, 07 Jul 2021 11:37:22 GMT smroci3 2021-07-07T11:37:22Z Exclude Users or Devices <P>Hello Community Members,</P><P>&nbsp;</P><P>we have some unsanctioned apps in MCAS and created a service user which still should have access to those domains.</P><P>&nbsp;</P><P>Is it possible to excluse users or devices so that they wont be blocked when accessing the domains?</P><P>&nbsp;</P><P>Thanks in advance :)</img></P> Tue, 06 Jul 2021 14:20:15 GMT infamous2021 2021-07-06T14:20:15Z MCAS keep triggering alerts for a whitelisted IP <P>We have the impossible travel alert policy in place. We get some users occasionally connecting from other countries for legitimate reasons (Ie VPN/Cross country Apps etc..). We have whitelisted these IP's (all the IP are static) as corporate but the policy keeps triggering. The alerts shows the whitelisted IP.</P><P>The whitelist is performed in the "IP address ranges" from MCAS. Has anyone experienced this issue?&nbsp;</P><P>&nbsp;</P><P>Appreciate any insights on this. Thank you!</P> Mon, 05 Jul 2021 01:43:43 GMT Manoj Karunarathne 2021-07-05T01:43:43Z PnP Management Shell Banned <P>When I try to allow the PnP Management Shell oauth app it keeps automatically reverting to banned. Does anyone know why this would be happening or what I need to do to allow this app?</P> Fri, 02 Jul 2021 20:04:25 GMT Dean Gross 2021-07-02T20:04:25Z Requested Scope Not Present in Access Token scp Claim <P>TL,DR version:</P><UL><LI>I have an Azure AD app registration for a UI configured with permission to request an API scope from another app registration.</LI><LI>The UI app is correctly requesting the API scope and the scope is present in the consent UI presented to the user.</LI><LI>The scp claim does not contain the API scope even though it was authorized.</LI><LI>Is this expected behavior?</LI></UL><P>Hello all. I have a pretty extensive background in leveraging OAuth 2.0 and OIDC for authorization and authentication management. However, I'm just breaking into the Azure implementation of these concepts, and I'm finding myself a little confused by some of the specifics. My goal is to use Azure AD app registrations to secure the interaction between a UI and the API it consumes. Historically, I'm used to defining a scope, granting my UI client permission to request that scope from my IdP, and demanding on the API side that the scope claim be present in an access token to authorize access to that API.</P><P>&nbsp;</P><P>I've defined an app registration for my API, as well as defined an "all access" scope for it under the <STRONG>Expose an API</STRONG> blade. I've also defined an app registration for my UI and requested that scope under the <STRONG>API Permissions</STRONG> blade. I've created the UI client app and added the fully qualified scope name (something like api:// to the requested scopes for the authorize request to be made using the MSAL. When logging in, my user is presented with the consent UI, and the API scope and app are listed as part of the requested permissions. When monitoring the request in my browser network tab, the <STRONG>scope</STRONG>&nbsp;form data element includes the expected value, something like:</P><P>&nbsp;</P><LI-CODE lang="markdown">scope: User.Read api:// openid profile offline_access</LI-CODE><P>&nbsp;</P><P>This is what I would expect if I wanted to request API scope access, MS Graph access, and user profile information from Azure AD, all appropriate for my goals. However, when checking the access token returned from the request, the <STRONG>scp</STRONG> claim only includes the following:</P><P>&nbsp;</P><LI-CODE lang="json">{ ... "scp": "openid profile User.Read email" ... }</LI-CODE><P>&nbsp;</P><P>I'm a little confused by the results here, because if I'm requesting access to a resource scope, my expectation is that the resource should be able to verify the access token presented contains the required scope for access. Is there some reason the app registration's resource principal is cut out of the list here? Am I misunderstanding the access model intended with these app registrations? Or did I just mess up my configuration somewhere?<BR /><BR /><STRONG>EDIT:</STRONG></P><P>It appears, after some testing, that the order in which I request scopes in MSAL determines the output of the access token. It would seem that I cannot request Microsoft Graph API scopes at the same time as one of my app registration API scopes, and the first requested scope defines what else is included in the token. Is my understanding correct, and is this expected? I can imagine some of the reasons why this is so, but could use validation.</P> Tue, 29 Jun 2021 18:57:03 GMT LSuarez5280 2021-06-29T18:57:03Z IP Location info <P>When I look at the activity log, MCAS is showing that I'm peforming activities from an IP address in Ireland, when I'm actually in North Carolina, using my company VPN at a location in the US Southeast. Can someone help me understand what is going on and how the location could be so wrong?</P><P>&nbsp;</P><P>Upon further investigation, it looks like the action I performed (closing a ticket) was actually done a service in Azure, which occurred in Ireland data center, which is even more confusing, because our Azure tenant is located in East US and MCAS is in the US3 data center in West US 2 region.&nbsp; So now I have another mystery. Any ideas would be appreciated.</P> Sat, 26 Jun 2021 16:51:21 GMT Dean Gross 2021-06-26T16:51:21Z OAuth App confusion <P>My colleague added an app, and we got the following alert,&nbsp;</P><P><SPAN>The user xxx ( performed an unusual addition of credentials to Prisma Cloud App gctvc. This usage pattern may indicate that an attacker has compromised the app, and is using it for phishing, exfiltration, or lateral movement. The user added a credentials of type Password, where an application is using a password to authenticate.</SPAN></P><P><SPAN>When I look at the Oauth apps page in MCAS, i don't see this app, but when I look in AAD, I do. Can someone help me understand what is going on?</SPAN></P><P>&nbsp;</P> Sat, 26 Jun 2021 16:38:24 GMT Dean Gross 2021-06-26T16:38:24Z Lag in Cloud App Security <P>Does anyone else notice/experience a lag in the logging within Microsoft Cloud App Security? It's more noticeable with connections to other cloud services but even processing rules around revoking rights to for example files flagged as sensitive seems to take longer than what I would describe as acceptable to process (so more than 30 minutes). As a small team, ideally we would like to trust the reporting and actions that this product generates and takes but it just doesn't seem to be consistent.&nbsp;</P> Wed, 23 Jun 2021 11:33:09 GMT lukem175 2021-06-23T11:33:09Z All of a Sudden receiving Error downloading MS files on Outlook online via Chrome <P>Hi,</P><P>&nbsp;</P><P>I work for a large corporation and have been using MS online apps to conduct business for over a year and a half on a Chrome browser.&nbsp;</P><P>&nbsp;</P><P>All of a sudden, about three weeks ago, I am getting an error message when I try to download any MS file (Word, PPT, Excel), even from internal employees. I can download .jpgs just fine. I tried downloading on Microsoft Edge and it's working fine, so it appears to be an issue with Chrome specifically and Microsoft Cloud Security.&nbsp;</P><P>&nbsp;</P><P>This is the error:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cloud security error.png" style="width: 813px;"><img src=";px=999" role="button" title="cloud security error.png" alt="cloud security error.png" /></span></P><P>&nbsp;</P><P>I have tried working with IT to find a solution but to no avail.&nbsp;</P><P>&nbsp;</P><P>Can anyone help?</P> Tue, 22 Jun 2021 14:40:18 GMT lindsayS_TR 2021-06-22T14:40:18Z App Discovery <P>Is there a way we can integrate&nbsp;Mimecast Web Security/DNS Based Web Filtering or Crowd Strike EDR with Microsoft Cloud App Security for discovering applications like we have the integration with Microsoft Defender and Firewall solutions.</P><P>&nbsp;</P><P>Lets say a user is connected to home network (without connecting VPN), so how to discover the applications in this case if Microsoft Defender is not being used.</P> Mon, 21 Jun 2021 13:17:45 GMT AnuragSrivastava 2021-06-21T13:17:45Z Identity security posture doesn't refresh data <P>Hello,</P><P>we are working to remediate security risk highlighted by Cloud App Security Identity Posture, in particular Unsecure Kerberos Delegation and Unsecure Account Attributes.</P><P>We have remediated more than one week ago user and computer account showed in this report but date continue to be the same.</P><P>In one case we have removed completely the user account marked as unsecure due to uncontrained kerberos delegation, but the report continue to show this account and not removing the security issue.</P><P>&nbsp;</P><P>any suggestion on the resolution of this point?</P><P>thanks in advance</P><P>Donato</P> Fri, 18 Jun 2021 07:24:39 GMT DonatoL 2021-06-18T07:24:39Z Information about Leaked Credentials <P><SPAN>I have been trying to implement leaked credentials. I pasted a user's content on dark web sites such as but no alert have been generated yet. Is there any way to get more information about Leaked Credentials alerts that have been triggered. I am not able to see any alert on Risky Users as well as Leaked Alert Policy on Cloud App Security. Please let me know what wrong am i doing here and how can i test leaked credentials for one of my users?</SPAN></P> Wed, 16 Jun 2021 12:13:42 GMT RaghavJain 2021-06-16T12:13:42Z MCAS and Salesforce - Do we need SF shield ? <P>Hi,</P><P>We asked Microsoft and Salesforce if the SF shield licenses were a requirement to improve monitoring, neither were able to respond so I'm reaching out to the community.</P><P>We have connected our SF instance to MCAS following the available documentation. We had to do some tinkering to bypass having to use a Sysadmin profile. SF shows up as connected and we get the users correlation between Azure/O365/MCAS and SF plus some login/logout events.</P><P>Now we don't get a lot of data/alerts from Salesforce, will this be improved by adding the extended event monitoring provided by SF shield ?</P><P>&nbsp;</P><P>Thanks for any experiences and feedback,</P><P>&nbsp;</P><P>Robert</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Jun 2021 12:15:12 GMT rvonbism71 2021-06-16T12:15:12Z [SOLVED] MCAS - External User Added Policy/Alert Question in Teams <P>Hi,</P><P>&nbsp;</P><P>we have the "External user added (Teams)" policy enabled in MCAS. Alerts are properly triggered for this policy but the information are not useful as we don't see the information about the user (email, IP, ...) who added the external user.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="mcas-teams.jpg" style="width: 999px;"><img src=";px=999" role="button" title="mcas-teams.jpg" alt="mcas-teams.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Is there a setting that needs to be enabled to see that information?</P><P>&nbsp;</P><P>Thanks,</P><P>Andre</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 23 Jun 2021 18:25:43 GMT amueller-tf 2021-06-23T18:25:43Z Pearson Vue - Video Upload to Google? <DIV>Hi,</DIV><DIV>&nbsp;</DIV><DIV>Does any of you know if a Microsoft online exam run by Pearson VUE uploads the recorded video of the participant to a Google server?</DIV><DIV>I am asking because we received an alert in MCAS that around 500MB of data were uploaded to a Google server by a user that was participating in a Microsoft exam that lasted about an hour.</DIV><DIV>&nbsp;</DIV><DIV>Thanks,</DIV><DIV>Andre</DIV> Fri, 11 Jun 2021 10:39:41 GMT amueller-tf 2021-06-11T10:39:41Z Box Integration with MCAS <P>Hi There,</P><P>&nbsp;</P><P>I am trying to detect Sensitive Information Types&nbsp; - SSN - shared in Box.</P><P>If the SSN is shared in a file, MCAS DLP matches it. Great.</P><P>If the SSN is shared in a chat in BOX, MCAS DLP doesn't match it.</P><P>&nbsp;</P><P>&nbsp;</P><P>How can I prevent sharing of SSN in BOX chat?</P> Mon, 14 Jun 2021 11:48:55 GMT arewatunde 2021-06-14T11:48:55Z Identifying Privileged Accounts <P>MCAS alerts include a "Privileged Accounts" category. How does it determine which accounts are privileged? how can we ensure that the appropriate accounts are considered?</P> Thu, 10 Jun 2021 15:05:07 GMT Dean Gross 2021-06-10T15:05:07Z Use of User Agent String <P>I noticed that when I see an alert is shows the user agent string, but this technique is no longer recommended by MS, see&nbsp;<A href="#" target="_blank">How to detect Microsoft Edge in your website - Microsoft Edge Development | Microsoft Docs</A>.&nbsp;</P><P>&nbsp;</P><P>Does the MCAS team have any plans to implement User Agent client hints?</P> Thu, 10 Jun 2021 15:02:53 GMT Dean Gross 2021-06-10T15:02:53Z Suspicious Session Detected - Azure Security in Question. <P>Daily, I receive notifications on suspicious sessions that were detected in our organization. What is concerning is that often some of these accounts were recently created.&nbsp; &nbsp;I have MFA enabled and conditional access, so they suspicious activity of itself is not concerning (they are all denied).&nbsp; What is concerning is how are people (hackers/bots/etc.) getting these accounts and attempting access? Especially accounts that are recently created. There have been times that an account had this notification and was just created within days.&nbsp; &nbsp;In the old days, that would be a flag that a port is open that was allowing access to listing user accounts but in Azure, one would think that is not the case. Is there something I need to tighten up to prevent these?&nbsp;</P><P>&nbsp;</P> Tue, 08 Jun 2021 13:25:50 GMT Jeff Harlow 2021-06-08T13:25:50Z MCAS alert ID for Unusual Addition of Credentials to Oauth App <P>Does anybody know how to identify alerts in loganalytics that are triggered under the poliy "Unusual Addition of Credentials to an Oauth App"? I suspect it falls under ALERT_SUSPICIOUS_ACTIVITY. But how to identify this specfic alert?</P><P>&nbsp;</P> Mon, 07 Jun 2021 07:26:43 GMT yyydb 2021-06-07T07:26:43Z Using end-points from mcas-siemagent-0.111.126-signed.jar <P>I’ve been using mcas-siemagent-0.111.126-signed.jar file to retrieve logs from my cloud services. I’ve been saving the logs to a local directory and while looking at them I’ve noticed two interesting endpoints:</P><UL><LI>Executing request GET /api/v1/agents/siem/consume/</LI><LI>Executing request GET /api/v1/agents/siem/get_data/?{some cursor related data}</LI></UL><P>Is there any way of getting the logs information using those end points, without using the .jar?</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 06 Jun 2021 13:36:17 GMT dk12321 2021-06-06T13:36:17Z Uploading Palo Alto firewall logs to MCAS and Sentinel <P>Hi,</P><P>&nbsp;</P><P>I'm investigating the best way to get our Palo Alto firewall logs into MCAS and Sentinel. My present understanding is two different log collector methods would be required in parallel.</P><P>&nbsp;</P><P>- MCAS - Log collector running in Docker</P><P>- Sentinel - Syslog server with the OMA agent installed</P><P>&nbsp;</P><P>As the documentation is indicates MCAS processing is every 24 hours, I'm assuming the PA firewall logs cannot be passed over to Sentinel on the MCAS connector.</P><P>&nbsp;</P><P>Is it possible to run the docker log collector and the syslog via OMA on the same host if it has a high enough specification to take the load?</P> Fri, 04 Jun 2021 18:03:28 GMT MikeP75 2021-06-04T18:03:28Z MACS Log Collector on RHEL not receiving logs <P>Hi I'm in the process of deploying a new log collector on RHEL 7, I've configured it in the MCAS portal and deployed the docker container, I can see it as connected in the console with no data received.</P><P>&nbsp;</P><P>Now I've forwarded the logs to the server and I can see them if I run a tcpdump on the REHL host, but I'm not seeing anything in the container. <EM>/var/adallom/syslog/rotated/514/</EM> only contains the <EM>config.json</EM> file and <EM>/var/adallom/discoverylogsbackup</EM> is empty</P><P>&nbsp;</P><P>Is there a way I can see if the container is receiving the messages and why it's not processing them?</P> Fri, 04 Jun 2021 09:47:56 GMT SimonR 2021-06-04T09:47:56Z Alerts generated in CASB seems to have delays of 12 hours <P>Hi there,</P><P>&nbsp;</P><P>The alerts generated in CASB for suspicious activities seem to have nearly 12 hours delay. Usually those alerts would be generated in near real time. But yesterday we experienced such a delay.&nbsp;</P><P>For example: for an activity at 9am in the morning the alert was generated at 9pm.&nbsp;</P><P>&nbsp;</P><P>Was there a glitch in CASB?&nbsp;&nbsp;</P> Thu, 03 Jun 2021 10:41:54 GMT K_pratiksha 2021-06-03T10:41:54Z Unsanctioning apps impact in Teams <P>Does unsanctioning/blocking an app in MCAS have any impact on apps in Teams?</P> Tue, 01 Jun 2021 12:29:04 GMT Dean Gross 2021-06-01T12:29:04Z Network mapping reconnaissance (DNS) <P>Hi everybody,&nbsp;</P><P>i get an warning in MCAS "Network mapping reconnaissance (DNS)" because of my Vulnerability Scanner. I wan't to get notified like in every alert rule in MCAS. But i can't find where i can edit the default behavior anomalie policy. How can i get notified when this warning accours?&nbsp;</P><P>Thanks</P><P>Regards</P><P>Sebastian</P> Thu, 27 May 2021 12:18:27 GMT msmotto21 2021-05-27T12:18:27Z Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365 <P>Hello,</P><P data-unlink="true">we would like to adjust&nbsp;<SPAN>phishing thresholds from <STRONG>Standard</STRONG>(1) to <STRONG>Aggressive</STRONG>(2). Based on documentation from <A href="#" target="_self">here</A>&nbsp;we can read:<BR /></SPAN></P><UL><LI><P><STRONG>2 - Aggressive</STRONG>: Messages that are identified as phishing with a high degree of confidence are treated as if they were identified with a very high degree of confidence.</P></LI></UL><P>Question is, how&nbsp;degree of confidence is calculated and where we can find what action will be done (how will be treated email) on each degree?</P><P data-unlink="true"><SPAN><BR /><BR /></SPAN></P> Wed, 26 May 2021 18:47:35 GMT Rberlinski 2021-05-26T18:47:35Z Understanding alert Password Spray in MCAS with details <P>Hello, we are facing alert in our MCAS "Risky sign-in: password spray". There is one activity associated with that after clicking on this alert:<BR /><STRONG>Description:</STRONG> Failed log on (Failure message: Strong authentication is required.)<BR /><STRONG>Type:</STRONG> (in app): Login:login<BR /><STRONG>User:</STRONG> (our user)<BR /><STRONG>IP address:</STRONG> some remote IP</P><P><BR />I have readed about this here: <A href="" target="_blank"></A></P><P><BR />But my question is what it means in details?&nbsp;<BR />- Our user from activity performed spray attack?<BR />- IP address from activity alert performed spray attack?<BR />- Our user was hitted by spray attack came from IP address from activity alert?</P><P><BR />Basically looking for way of investigation this.</P> Wed, 26 May 2021 18:11:48 GMT Rberlinski 2021-05-26T18:11:48Z Investigation priority score increase (Preview) alert <P>Hi&nbsp;</P><P>&nbsp;</P><P>Today we started receiving the above alert in CAS. Appreciate its preview but the contents of the alert made me sit up !&nbsp;&nbsp;</P><P>&nbsp;</P><P>Description: "<SPAN><STRONG>ACCOUNTNAME</STRONG></SPAN>"&nbsp;<SPAN>investigation priority score has increased from 0 to 208 in 13 hours, higher than 99% of other scored users.&nbsp;<img class="lia-deferred-image lia-image-emoji" src="" alt=":suprised:" title=":suprised:" /></SPAN></P><P>&nbsp;</P><P><SPAN>Each event that formed part of this alert gave a +8 score on the following action : </SPAN></P><P><SPAN>Resource access:&nbsp;Device&nbsp;<STRONG>DEVICENAME</STRONG>, property&nbsp;<STRONG>Spns</STRONG>&nbsp;<STRONG>cifs/</STRONG></SPAN></P><P><SPAN><STRONG>SourcePort: Various</STRONG></SPAN></P><P><SPAN><STRONG>DestinationPort: 88</STRONG></SPAN></P><P>&nbsp;</P><P>The account in question being the ATP service account, and the activity on 61 different devices, the source being a DC..&nbsp;<img class="lia-deferred-image lia-image-emoji" src="" alt=":sad:" title=":sad:" /></P><P>Has anyone else seen this? It looks dodgy as hell this suddenly being logged and not knowing what the activity means. Is this this expected activity for ATP service?&nbsp;</P><P>&nbsp;</P><P>Thanks in advance for your response!</P> Wed, 26 May 2021 16:47:23 GMT Christo De Lange 2021-05-26T16:47:23Z MCAS: Internet traffic log parsing query <P>Hello Team,</P><P>&nbsp;</P><P>Good day to you!</P><P>&nbsp;</P><P>Does the internet traffic log sent to the Log collector is parsed in the Log collector or it is parsed in the MCAS portal?</P><P>&nbsp;</P><P>Thanks &amp; Regards,</P><P>Swapnil</P> Wed, 26 May 2021 13:32:17 GMT Swapnil_Kirve 2021-05-26T13:32:17Z Cloud App Security ファイル一覧について <P>Cloud App Securityの[調査] - [ファイル]の一覧取得方法について教示ください。</P><P>ファイル一覧取得準備として以下の設定を実施済です。</P><P>・アプリの接続で Office365を接続</P><P>・[設定] - [ファイル] ファイルの監視を有効化にチェック</P><P>上記設定後、OfficeOnlineで、Word文書作成、変更、OneDriveへのファイルアップロード、ダウンロード操作をしてみましたが、ファイル一覧には何も表示されません。</P><P>&nbsp;</P><P>上記以外にどのような設定、操作が必要かアドバイスをいただけませんでしょうか。</P><P>何卒よろしくお願いいたします。</P> Wed, 26 May 2021 06:50:35 GMT v-kkusunokiBBS 2021-05-26T06:50:35Z Cloud App Securityで生成するトークンについて <P>次の点についてご教示ください。</P><P>・Cloud App Securityポータルで生成するトークンについて。</P><P> 1.トークンを生成するユーザーに最低限必要なロールは何でしょうか。</P><P> 2.生成したトークンの使用可能期間は永続使用可能でしょうか。</P><P>ご回答いただけますと幸いです。</P><P>何卒よろしくお願いいたします。</P><P>&nbsp;</P> Tue, 25 May 2021 15:47:38 GMT v-kkusunoki 2021-05-25T15:47:38Z MCAS BIgID DLP integration <P>Hi Team,</P><P>&nbsp;</P><P>We are currently working on a project where our customer has BigID implemented for DLP and data classification. In MCAS, we can use built-in DLP or M365 Data classification services as part of session policy, file policy etc. Would like to know if MCAS can be integrated with BigID as an external DLP provider to perform the data classification during evaluation of session policy, file policy in MCAS?</P><P>&nbsp;</P><P>So far, we just found that BigID integrates with MIP through this link:&nbsp;<A href="#" target="_blank"></A>&nbsp;</P><P>but need to understand whether we can leverage BigID in MCAS?</P><P>&nbsp;</P><P>regards,</P><P>Subhajit</P> Fri, 21 May 2021 05:10:24 GMT subhajitdey01 2021-05-21T05:10:24Z Delayed MCAS Policy Scanning in Box <P>We have integrated Box and MCAS. We have noticed that MCAS policies are applied at different time intervals and not close to Near Real Time. Fastest policy alert is 5 hours and up to a few days. This policy is directed to be applied to one folder in Box. We tested this policy in SharePoint and it was successful in identifying and labeling the files within an hour. Does anyone know how the policies are applied from MCAS to Box? and if there is a setting that I need to turn on to speed up the file scan in Box.</P> Mon, 17 May 2021 16:32:57 GMT leichang77 2021-05-17T16:32:57Z MCAS API token error - "the owner of this token is not permitted to use tokens" <P>Hi All,</P><P>&nbsp;</P><P>We trying to use MCAS API to upload Discovery log for one of the data source configured in the tenant. As steps provided in the <A href="#" target="_self">document</A>, we are trying to initialize file upload using below API call:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="bash">curl -XGET -H "Authorization:Token &lt;your_token_key&gt;" "https://&lt;tenant_id&gt;.&lt;tenant_region&gt;;source=GENERIC_CEF"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Even though API token is generated by a Global administrator in Azure AD, still it shows error as:&nbsp;</P><P><FONT color="#FF0000">{"detail":"Invalid user - the owner of this token is not permitted to use tokens"}</FONT></P><P>&nbsp;</P><P>Can you please help me debug this issue?</P><P>&nbsp;</P><P>regards,</P><P>Subhajit</P> Thu, 13 May 2021 13:18:19 GMT subhajitdey01 2021-05-13T13:18:19Z CAS / MIP / DLP Secure Whatsapp session <P>Hello guys,</P><P>&nbsp;</P><P>I am looking for a way to enable users from my company to use whatsapp web and control the session using CAS, MIP and DLP to prevent data exfiltration, is there a way to do that?<BR /><BR />I'm new to that solutions and wasn't able to find any documentation about that.</P><P>&nbsp;</P><P>thanks a lot!</P> Thu, 13 May 2021 00:50:27 GMT pradocn 2021-05-13T00:50:27Z Allow only Outlook desktop app to exchange online <P>Hi all,</P><P>We our looking for ways to get more control for accessing Exchange online from a BYOD device.</P><P>No user can connect from Windows and MacOS with any type of client.</P><P>&nbsp;</P><P>Is it possible with MCAS to block all other mail desktop clients and only allow Outlook desktop?<BR />Can this be done with MCAS? or do I need another Microsoft 365 solution?</P><P>&nbsp;</P><P>Thanks for the help and information<BR />kind regard's</P><P>Finn</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 07 May 2021 07:36:07 GMT Finn_Hollesund 2021-05-07T07:36:07Z How do you investigate non-sanctioned apps? <P>While MCAS is great for Cloud Discovery and enforcing policy, how do you go about sanctioning/unsanctioning apps appropriately? One of the pain-points we're facing is that while it may say user x uploaded 50mb to app hosting provider 5, we don't know what actual URLs/web-apps are tied to hosting provider 5. When you look at an application in MCAS, you get the general URLs for the application... i.e. This doesn't help understand what URLs the user is hitting though, which could be legitimate sites, that we may then block incidentally, because we don't have the underlying information.</P><P>&nbsp;</P><P>Am I wrong? Can someone help me understand their process for investigating these alerts and/or sanctioning/unsanctioning apps?</P> Tue, 04 May 2021 17:19:54 GMT amileikowsky 2021-05-04T17:19:54Z Strange activity for Discovered apps in MCAS <P>Hi,&nbsp;</P><P>we are seeing some strange activity through MCAS on applications that users confirmed they have not logged into using company devices.&nbsp;</P><P>SnapChat is showing as having a peak of transactions/uploads on a specific day for several users (2 incidents attached) but both confirm they have not used the application - especially as the time frame appears to late on a Friday night.&nbsp;</P><P>What is generating this traffic? It is concerning MCAS can be so far off the mark and definitely leads to trust/integrity issues with the data!&nbsp;</P> Tue, 04 May 2021 04:30:39 GMT JasminBrainWoodside 2021-05-04T04:30:39Z Please fine tune alerting - CLOUD APP SECURITY <P>Description<BR />The user manipulated 61 files with multiple extensions ending with the uncommon extension pobierz. This is an unusual number of file manipulations and is indicative of a potential ransomware attack.</P><P><BR />This is not a ransomware extension.<BR />It's a FP.</P><P>pobierz (Polish word) means download (english)</P><P>Please tune it out from alerting immediatly.</P> Thu, 29 Apr 2021 09:40:55 GMT tpawlina 2021-04-29T09:40:55Z Can we import user groups from discovered applications as well? <P>Hi All,</P><P>&nbsp;</P><P>As I didn't have real time hands-on experience can somebody please help me to understand my below query.</P><P>&nbsp;</P><P>I understand once we enable MCAS integration with defender ATP, all applications will discovered and eventually list of users, associated IP details will be reflected in the dashboard. However to <STRONG>specifically import groups by going into settings option from MCAS, do we have to connect apps by using API connectors? without having app connector integration can we able to import the user groups into MCAS.</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P>Note:- I understand&nbsp;<SPAN>Automatic groups are created by default by Microsoft Cloud App Security. But are these automatic groups as part of discovery?</SPAN></P><P>&nbsp;</P><P>Looking forward to hearing from some great minds!!</P><P>&nbsp;</P><P>Thank you,</P><P>Mahesh.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Apr 2021 13:54:55 GMT maheshcapj 2021-04-28T13:54:55Z AIP policies in MCAS <P><SPAN>Hi,&nbsp;</SPAN></P><P><SPAN>I have just started to configure MCAS policies in our company and wondering if you have any reference document about what policies should be configured as a security baseline for information protection.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>BR,&nbsp;</SPAN></P><P><SPAN>Rizwan&nbsp;</SPAN></P> Wed, 28 Apr 2021 13:49:33 GMT RizwanAli 2021-04-28T13:49:33Z MCAS outdated browser for Linux OS <P>I cannot find a way to stop alerts when a user is using an outdated browser from a Linux OS. I support many overseas users and I believe they are running Linux on a vm and accessing company data via a web browser. I have looked in the activity policy in MCAS for the alert, but cannot find a way to skip over the Linux OS. There are options for Device, but nothing for the OS.</P><P>&nbsp;</P><P>Thanks</P> Tue, 27 Apr 2021 20:25:05 GMT superunknown0305 2021-04-27T20:25:05Z MCAS, Okta and Salesforce - Conditional Access <P>Hello MCAS Team,</P><P>&nbsp;</P><P>I have problem with connection between MCAS, Okta and Salesforce.&nbsp;I did all steps from documentation (<A href="#" target="_blank" rel="noopener"></A>) but it doesn't work. I created custom application in Okta (for Salesforce) and SAML Single Sign-On configuration in Salesforce (for MCAS and Okta). At the end I have status:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="M_Nowak_0-1619194502194.png" style="width: 373px;"><img src="" width="373" height="56" role="button" title="M_Nowak_0-1619194502194.png" alt="M_Nowak_0-1619194502194.png" /></span></P><P>When I try to login to Salesforce I see this information:&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="M_Nowak_1-1619194570660.png" style="width: 263px;"><img src="" width="263" height="137" role="button" title="M_Nowak_1-1619194570660.png" alt="M_Nowak_1-1619194570660.png" /></span></P><P>&nbsp;</P><P>But when I click "Continue to Salesforce" I can't access to Salesforce. I see:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="M_Nowak_2-1619194596446.png" style="width: 255px;"><img src="" width="255" height="179" role="button" title="M_Nowak_2-1619194596446.png" alt="M_Nowak_2-1619194596446.png" /></span></P><P>In MCAS I see logs about this activity (so I think that this connection should work):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="M_Nowak_5-1619194843912.png" style="width: 400px;"><img src=";px=400" role="button" title="M_Nowak_5-1619194843912.png" alt="M_Nowak_5-1619194843912.png" /></span></P><P>&nbsp;</P><P>Did anyone tried to connect these services? Do you have any advices?</P> Fri, 23 Apr 2021 16:43:09 GMT M_Nowak 2021-04-23T16:43:09Z New Blog Post | MCAS: Top 5 Queries You Need to Save <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1618941318215.png" style="width: 400px;"><img src=";px=400" role="button" title="JasonCohen1892_0-1618941318215.png" alt="JasonCohen1892_0-1618941318215.png" /></span></P> <P><A href="" target="_blank" rel="noopener">MCAS: Top 5 Queries You Need to Save - Microsoft Tech Community</A></P> <P><SPAN>After speaking with a few of our customers, we realized that some were not familiar or aware of their ability to leverage suggested and saved queries inside of Cloud App Security. In this blog, we will show you what we consider our top five use cases for custom queries!</SPAN></P> Tue, 20 Apr 2021 17:56:47 GMT JasonCohen1892 2021-04-20T17:56:47Z Cloud App Security - create policy by severity and not by category <P>Hi Guys,</P><P>my question is already in the topic ;).. is this possible? maybe with powershell?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-04-20_13h41_40.png" style="width: 442px;"><img src=";px=999" role="button" title="2021-04-20_13h41_40.png" alt="2021-04-20_13h41_40.png" /></span></P><P><BR />If not, maybe there is a solution by adding all categories and mid/high severities into powershell?</P><P>Do you have any best practices or do I have to set it up in every standard policies to trigger a mail?</P><P>Thanks a lot.</P> Tue, 20 Apr 2021 12:08:57 GMT PatrickEl 2021-04-20T12:08:57Z cloud app discovery process with MDE integration <P>Hi all,</P><P>mcas provides a way to discover cloud apps on MDE onboarded devices. Unfortunately I couldn't find any documentation about which cloud apps/URLs are discovered via MDE integration... Only the ones where users sign-in with their related AAD identity or all regardless which identity is used or even a sign-in was processed?</P><P>Thank you</P><P>Thomas</P> Tue, 20 Apr 2021 07:39:50 GMT Thomas Höhner 2021-04-20T07:39:50Z Microsoft Cloud App Security Session Policy For .PDF Viewing <P>Currently we have a session policy in Microsoft Cloud App Security that blocks all file downloads while using Outlook Web which still allows attachment viewing. This works great for all Office documents however .PDF attachments cannot be viewed because they perform a download when previewing them. The only workaround is allow .PDF attachment downloads only. Will there be any future enhancements in MCAS that will allow .PDF viewing while still blocking downloads?&nbsp;</P><P>&nbsp;</P><DIV><P><SPAN><STRONG>Previewing or printing PDF files may be blocked</STRONG></SPAN></P><P>This is normal behavior when you have a policy configured to block downloads. Occasionally when previewing or printing PDF files, apps initiate a download of the file causing Cloud App Security to intervene to ensure the download is blocked and that data is not leaked from your environment.</P><P>If you would like to allow PDF file downloads, you can exclude PDF files based on their file extension in the relevant session policy.</P></DIV> Wed, 14 Apr 2021 17:04:02 GMT pradell1957 2021-04-14T17:04:02Z Architecture or Design for Microsoft Cloud App Security Hi,<BR />&amp;nbsp;<BR />Appreciate your help in sharing / providing best resources (URLs etc) that would help in drafting a MCAS&amp;nbsp;Design Document&amp;nbsp;<BR />&amp;nbsp;<BR /><BR />Especially key configuration areas using the enterprise scale best practices.<BR />Thanks, Thu, 15 Apr 2021 20:06:25 GMT Sumeeta 2021-04-15T20:06:25Z Tag applications as Monitored or Restricted <P>Hello there,</P><P>&nbsp;</P><P>I currently work on Cloud App Security, and I was wondering what the "Monitored" and "Restricted" application tags are. From <A href="" target="_blank" rel="noopener">this</A> post, I understand that "Monitored" could be used to warn users they access a non-approved application or so, giving them the option to continue if they really want to. I didn't find any information regarding the "Restricted" tag.</P><P>&nbsp;</P><OL><LI>Do you have any information regarding these two tags ?</LI><LI>Is it still a preview as mentionned in the previous&nbsp;<A href="" target="_blank" rel="noopener">post</A> ?</LI></OL><P>&nbsp;</P><P>Additionally, these tags cannot be used to filter applications, and cannot be used to tag applications, as show on the screenshots. However, these tags are visible in the tag settings! I am confused regarding this, any information about it ?</P><P>&nbsp;</P><P>Thanks a lot for your feedbacks&nbsp;<img class="lia-deferred-image lia-image-emoji" src="" alt=":smile:" title=":smile:" /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ClementBonnet_0-1617877368304.jpeg" style="width: 400px;"><img src=";px=400" role="button" title="ClementBonnet_0-1617877368304.jpeg" alt="ClementBonnet_0-1617877368304.jpeg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ClementBonnet_2-1617877629618.jpeg" style="width: 400px;"><img src=";px=400" role="button" title="ClementBonnet_2-1617877629618.jpeg" alt="ClementBonnet_2-1617877629618.jpeg" /></span></P><P>&nbsp;</P> Thu, 08 Apr 2021 10:28:03 GMT ClementBonnet 2021-04-08T10:28:03Z How to find the 3rd party apps authenticity <P>Hi,</P><P>I checked our Azure AD tenant and found we have lot of 3rd party apps sitting under enterprise apps and very few has any sign-in logs . Now we thought to clean this apps because not sure which 3rd party apps is accessing our tenant data using graph API . Now first thing which we did is block the user consent and change this with Admin consent , Making sure correct apps allowed within the organization.</P><P>Now the tough part is to find the correct App . As per Microsoft cloud apps security , This has cloud app catalog of around 16,000 apps , where we can check the apps details and ranking but still we could not able to find the details of few apps that is not in the Microsoft cloud app catalog.</P><P>&nbsp;</P><P>Could you help to understand , How you guys check and allow the authentic apps not having details in MS cloud app catalog within your organization.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Apr 2021 13:19:54 GMT Sanjiv_kumar 2021-04-07T13:19:54Z MCAS Logs Ingestion MDE vs Log Collector <P>Hi everyone,</P><P>we are currently evaluating MCAS and i am having a bit of a hard time figuring out which of the Logs Ingestion options makes sense.</P><P>According to the official documentation either integration with MDE (Defender for Endpoint) or the Log Collector can be used to continuously upload network logs.</P><P><A href="#" target="_blank" rel="noopener"></A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DaryaB_0-1617346609408.png" style="width: 400px;"><img src=";px=400" role="button" title="DaryaB_0-1617346609408.png" alt="DaryaB_0-1617346609408.png" /></span></P><P>&nbsp;</P><P>So my question is - If we already have MDE in our organization, do we still need Log Collector data or would it just provide duplicate information?</P><P>Thanks in advance,</P><P>Darya</P><P>&nbsp;</P> Fri, 02 Apr 2021 07:06:19 GMT DaryaB 2021-04-02T07:06:19Z MCAS proxy and link to image not working <P>We use a sharepoint page as a application portal. On that page we have several links to applications and website. All those links have a application logo.&nbsp;</P><P>Today we starting test MCAS and we noticed that the links to logo images are not working due to the prepended proxyurl of MCAS.&nbsp;</P><P>&nbsp;</P><P>How can we fix this without changing te&nbsp;</P> Thu, 01 Apr 2021 10:26:33 GMT Ronald Meer 2021-04-01T10:26:33Z Failed to trash the file - MCAS Governance Log <P>Hi,</P><P>After Malware detection policy alert I tried to trash a file but it failed, some were successfully trashed.</P><P>how do I know the reason of the failure.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-03-31 13_43_41-Governance log - Cloud App Security - Microsoft Cloud App Security and 10 more p.png" style="width: 999px;"><img src=";px=999" role="button" title="2021-03-31 13_43_41-Governance log - Cloud App Security - Microsoft Cloud App Security and 10 more p.png" alt="2021-03-31 13_43_41-Governance log - Cloud App Security - Microsoft Cloud App Security and 10 more p.png" /></span></P><P>&nbsp;</P> Wed, 31 Mar 2021 17:54:51 GMT BaselFawal 2021-03-31T17:54:51Z Impossible Travel User Notification <P>Does anyone have an example of the email content received by endusers when the option to "Notify User" (under Governance Actions | All Apps) is selected within the Impossible Travel Policy?&nbsp; What is included in the email to the user and can this be modified to include the specifics of the Impossible Travel location?</P><P>&nbsp;</P><P>Thank you,</P> Mon, 29 Mar 2021 19:00:20 GMT RoyDelgado 2021-03-29T19:00:20Z