Application Script That Filters Risky Unused Apps on Your Environment.

%3CLINGO-SUB%20id%3D%22lingo-sub-873019%22%20slang%3D%22en-US%22%3EApplication%20Script%20That%20Filters%20Risky%20Unused%20Apps%20on%20Your%20Environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-873019%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20there%20everyone.%20Recently%20made%20a%20script%20that%20filters%20out%20high%20risk%20applications%20(Risk%20score%20%26lt%3B4)%20that%20haven't%20been%20used%20in%20awhile%20on%20your%20environment.%20An%20easy%20win%20is%20to%20block%20applications%20that%20haven't%20been%20used%20in%20a%20bit.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20specific%20application%20categories%20we%20are%20more%20interested%20in%20than%20others.%20Feel%20free%20to%20copy%20this%20template%2C%20or%20use%20others.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOh-%20you%20need%20the%20MCAS%20Powershell%20package%20installed%20too.%20Here%20is%20the%20download%20link%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMCAS%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fmicrosoft%2FMCAS%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-python%22%3E%3CCODE%3E%23defining%20variables%0A%24count%20%3D%200%20%23Count%20variable%20used%20for%20determining%20the%20number%20of%20apps%20left%0A%24obj%20%3D%20%40()%20%23Array%20where%20the%20apps%20will%20be%20added%20to%0A%0Ado%20%7B%0A%24applist%20%3D%20Get-MCASDiscoveredApp%20-Skip%20%24count%0A%20%20%20%20%24count%20%2B%3D%20%24applist.count%20%23%23%20applies%20the%20list%20count%20to%20the%20specific%20count%20itself.%20%0A%20%20%20%20foreach(%24app%20in%20%24applist)%7B%20%23%23for%20each%20application%20inside%20the%20list%20of%20100%0A%20%20%20%20%20%20%20%20if((%24app.category%20-eq%20%22SAASDB_CATEGORY_SOCIALNETWORK%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_NEWS_AND_ENTERTAINMENT%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_CLOUD_COMPUTING_PLATFORM%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_CONTENT_MANAGEMENT%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_COLLABORATION%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_HOSTING_SERVICES%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_IT_SERVICES%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_MARKETING%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_IT_SERVICES%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_WEBMAIL%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_SECURITY%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_FORUMS%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_ONLINE_MEETINGS%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_COMMUNICATIONS%22)%20%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_WEB_ANALYTICS%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_ADVERTISING%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_WEBSITE_MONITORING%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_CONTENT_SHARING%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_ADVERTISING%22)%20-or%20(%24app.category%20-eq%20%22SAASDB_CATEGORY_BUSINESS_INTELLIGENCE%22))%7B%20%23%23filters%20on%20application%20category%20-%20we%20look%20for%20specific%20types%20here%20for%20our%20enviornment.%20Change%20to%20your%20liking.%0A%20%20%20%20%20%20%20%20%20%20%20%20if(%24app.lastUsed%20-lt%20(get-date).AddDays(-14).ToString(%22yyyy-MM-dd%22)%20-and%20(%24app.revised_score_total%20-lt%205))%7B%20%23%23checks%20and%20sees%20if%20the%20application%20has%20been%20used%20by%20anyone%20in%20the%20organization%20in%20the%20last%2014%20days.%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24obj%20%2B%3D%20%24app%20%23%23Adds%20the%20application%20and%20the%20data%20from%20MCAS%20to%20the%20array.%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%7D%0A%20%20%20%20%20Start-Sleep%20-Seconds%206%20%23%23API%20Connection%20times%20out%20after%20awhile.%20This%20start%20sleep%20prevents%20these%20issues.%0A%7D%0Awhile(%24applist.count%20-ge%20100)%20%23%23Do%20While%20loop%20while%20there%20still%20apps%20to%20be%20pulled%0A%0A%24obj%20%7C%20Export-CSV%20-Path%20%22C%3A%5CScript%5Capps.csv%22%20-Force%20%23%23Exports%20the%20list%20to%20an%20apps%20csv%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPretty%20much%2C%20the%20script%20runs%20and%20looks%20for%20applications%20that%20haven't%20been%20used%20in%20the%20last%20two%20weeks.%20If%20your%20parser%20and%20ADATP%20logs%20are%20constantly%20up%20to%20date%2C%20you%20should%20definitely%20have%20a%20good%20list%20of%20risky%20applications%20to%20block%20on%20your%20environment.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20any%20questions%2C%20feel%20free%20to%20post%20below.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-873019%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-883337%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Script%20That%20Filters%20Risky%20Unused%20Apps%20on%20Your%20Environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-883337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414390%22%20target%3D%22_blank%22%3E%40SecurityChampion%3C%2FA%3E%26nbsp%3BThanks%20for%20sharing!%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20very%20useful%20and%20interesting%20scenario%2C%20and%20we'll%20be%20glad%20to%20share%20it%20with%20more%20of%20MCAS%20customers.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

Hey there everyone. Recently made a script that filters out high risk applications (Risk score <4) that haven't been used in awhile on your environment. An easy win is to block applications that haven't been used in a bit. 

 

We have specific application categories we are more interested in than others. Feel free to copy this template, or use others. 

 

Oh- you need the MCAS Powershell package installed too. Here is the download link: https://github.com/microsoft/MCAS/ 

 

#defining variables
$count = 0 #Count variable used for determining the number of apps left
$obj = @() #Array where the apps will be added to

do {
$applist = Get-MCASDiscoveredApp -Skip $count
    $count += $applist.count ## applies the list count to the specific count itself. 
    foreach($app in $applist){ ##for each application inside the list of 100
        if(($app.category -eq "SAASDB_CATEGORY_SOCIALNETWORK") -or ($app.category -eq "SAASDB_CATEGORY_NEWS_AND_ENTERTAINMENT") -or ($app.category -eq "SAASDB_CATEGORY_CLOUD_COMPUTING_PLATFORM") -or ($app.category -eq "SAASDB_CATEGORY_CONTENT_MANAGEMENT") -or ($app.category -eq "SAASDB_CATEGORY_COLLABORATION") -or ($app.category -eq "SAASDB_CATEGORY_HOSTING_SERVICES") -or ($app.category -eq "SAASDB_CATEGORY_IT_SERVICES") -or ($app.category -eq "SAASDB_CATEGORY_MARKETING") -or ($app.category -eq "SAASDB_CATEGORY_IT_SERVICES") -or ($app.category -eq "SAASDB_CATEGORY_WEBMAIL") -or ($app.category -eq "SAASDB_CATEGORY_SECURITY") -or ($app.category -eq "SAASDB_CATEGORY_FORUMS") -or ($app.category -eq "SAASDB_CATEGORY_ONLINE_MEETINGS") -or ($app.category -eq "SAASDB_CATEGORY_COMMUNICATIONS")  -or ($app.category -eq "SAASDB_CATEGORY_WEB_ANALYTICS") -or ($app.category -eq "SAASDB_CATEGORY_ADVERTISING") -or ($app.category -eq "SAASDB_CATEGORY_WEBSITE_MONITORING") -or ($app.category -eq "SAASDB_CATEGORY_CONTENT_SHARING") -or ($app.category -eq "SAASDB_CATEGORY_ADVERTISING") -or ($app.category -eq "SAASDB_CATEGORY_BUSINESS_INTELLIGENCE")){ ##filters on application category - we look for specific types here for our enviornment. Change to your liking.
            if($app.lastUsed -lt (get-date).AddDays(-14).ToString("yyyy-MM-dd") -and ($app.revised_score_total -lt 5)){ ##checks and sees if the application has been used by anyone in the organization in the last 14 days.
                $obj += $app ##Adds the application and the data from MCAS to the array.
            }
        }
     }
     Start-Sleep -Seconds 6 ##API Connection times out after awhile. This start sleep prevents these issues.
}
while($applist.count -ge 100) ##Do While loop while there still apps to be pulled

$obj | Export-CSV -Path "C:\Script\apps.csv" -Force ##Exports the list to an apps csv

 

Pretty much, the script runs and looks for applications that haven't been used in the last two weeks. If your parser and ADATP logs are constantly up to date, you should definitely have a good list of risky applications to block on your environment. 

 

If you have any questions, feel free to post below. 

1 Reply

@SecurityChampion Thanks for sharing!

This is a very useful and interesting scenario, and we'll be glad to share it with more of MCAS customers.

www.000webhost.com