Microsoft has quietly introduced the option to automatically block connections to unsanctioned cloud apps from the Microsoft Cloud App Security (MCAS) console. This is accomplished by integrating MCAS with Microsoft Defender Advanced Threat Protection (MDATP).

Based on the information available in Cloud App Security, the app’s domains are used to create domain indicators in the Microsoft Defender ATP portal. Within Windows Defender the Exploit Guard Network Policy option is used to block the access to the URLs. This will eventually result in the following notification sent to the user.

Windows 10 Notification

In this blog post I will explain how to setup this functionality when Microsoft Intune is used and what the behavior is within Windows 10. This assumes that you are licensed for both MCAS and MDATP, in my case by using a Microsoft365 E5 license.

  1. Setting up the necessary options in the Microsoft Defender Security Center
  2. Setting up a Device Configuration Policy to enable Exploit Guard Network filtering Microsoft Intune in audit mode
  3. Configuring Microsoft Cloud App Security (MCAS)
  4. Testing Network Filtering in audit mode on Windows 10
  5. Modifying the Device Configuration Policy to enable Network filtering

Setting up the necessary options in the Microsoft Defender Security Center

We have to start with setting up the connection between the Microsoft Defender Security Center and MCAS. This can be accomplished by turning the Microsoft Cloud App Security setting to “On” under Advanced features. 

Microsoft Defender Security Center 
Settings 
General 
Data retention 
Alert notifications 
Power Bl reports 
Advanced features 
permissions 
Roles 
Machine groups 
APIs 
SIEM 
Rules 
Custom detections 
Alert suppression 
Indicators 
Automation allowed/blocked lists 
Automation uploads 
Automation folder exclusions 
Machine management 
Admin_lnsight24@insight24... 
on 
on 
on 
on 
on 
on 
Azure Integration 
Retrieves enriched user and machine data from Azure ATP and forwards Microsoft Defender ATP signals, resulting in better 
visibility, additional detections, and efficient investigations across both services. Forwarded data is stored and processed in the 
same location as your Azure ATP data. 
Office 365 Threat Intelligence connection 
Connects to Office 365 Threat Intelligence to enable security investigations across Office 365 mailboxes and Windows machines, 
For more information, see the Office 365 Threat Intelligence overview, 
Microsoft Cloud App Security 
Forwards Microsoft Defender ATP signals to Cloud App Security, giving administrators deeper visibility into both sanctioned cloud 
apps and shadow IT, It also gives them the ability to block unauthorized applications when the custom network indicators setting is 
turned on, Forwarded data is stored and processed in the same location as your Cloud App Security data, This feature is available 
With an license for Enterprise Mobility + Security on machines running Windows 10 version 1709 (OS Build 16299, 1085 With 
KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with 
04489899) or later Windows 10 versions. 
Azure Information Protection 
Forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on 
onboarded machines and machine risk ratings. Forwarded data is stored and processed in the same location as your Azure 
Information Protection data. This feature is available With and a or E5 license for Enterprise Mobility + Security on machines 
running Windows 10, version 1809 or later. 
Microsoft connection 
Connects to Microsoft Intune to enable sharing Of device information and enhanced policy enforcement. 
Intune provides additional information about managed devices for secure score. It can use risk information to enforce conditional 
access and Other security policies. 
Preview features
Enable Microsoft Cloud App Security integration

Next we need to enable the Custom network indicators as well, this setting can also be found under Advanced features.

On 
Custom network indicators 
Configures machines to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists. To use this 
feature, machines must be running Windows 10 version 1709 or later. They should also have netvuork protection in block mode and 
version 4.18.1906.3 or later of the antimalware platform (see KB 4052623). Note that network protection leverages reputation 
services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP 
data.
Enable custom network indicators

Setting up a Device Configuration Policy to enable Exploit Guard Network filtering Microsoft Intune in audit mode

In order to enable network filtering on our Windows 10 devices with MDATP configured, we are going to define a Device Configuration policy in Microsoft Intune which we will target to our Windows 10 Devices. We will do this in audit mode first and test the outcome on one of our Windows 10 machines.

H«ne - Confgwation 
Create profile 
- W10 
platfon•n • 
Windows 10 later 
Endsmint prot«tim 
Settings 
Configure 
O æla:ted 
o Rule(s) configured 
Endpoint Vi 
Endpoint protection 
SeQt a Qtegory to configwe 
10 milable 
milable 
sma 
2 settings available 
40 settings available 
21 
2 settings available 
Gun. 
setting available 
sæie,• 
18 milable 
46 settings available 
5 settings available 
plo 
it Guard filtering 
Microsoft Defender Exploit Guard 
Surface 
15 settings available 
settings available 
filtering 
1 milable 
3 
Network filtering 
Block outtwd 'mm any app to IP/don-.in TWs un 
abl«i in mxie 
Netmrk O 
Audit
Create Device Configuration Policy in Microsoft Intune

Microsoft provides guidelines on how to enable this option using other products like ConfigMgr and Group Policy, this is described in the following article: Enable network protection

Configuring Microsoft Cloud App Security (MCAS)

The first thing we need to do is enable the Cloud app control option in MCAS, this can be done from the Cloud app control section under settings.

Cloud App Security 
Settings 
Q Search 
System 
Organization details 
Mail settings 
Export settings 
19 
Automatic sign out 
Cloud Discovery 
Score metrics 
Snapshot reports 
Continuous reports 
Automatic log upload 
App tags 
Exclude entities 
Cloud app control 
user enrichment 
Anonym ization 
Delete data 
Threat Protection 
Cloud app control with Microsoft Defender Advanced Threat Protection 
Cloud app control allows you to block endpoints With Microsoft Defender Advanced Threat Protection. 
Block unsanctioned apps and domains with Microsoft Defender Advanced Threat Protection. 
Enabling this Will block endpoint access to cloud apps marked as unsanctioned in Cloud App Security. 
Save 
Secure your data as described in our privacy Statement,
Enable Cloud app control

In our example we are going to block access to iTunes, the screenshot details that iTunes has been unsanctioned in our Cloud App Security portal.

Cloud App Security 
Cloud Discovery 
Dashboard 
QUERIES 
Select a query... 
Browse by category: 
Q Search for 
News and entertainment 
Continuous report 
Win 10 Endpoint Users • 
Timeframe 
Last 30 days. 
Updated on Jan 16. 2020 
Discovered apps 
APPS 
itunes 
App 
IP addresses 
Score 
APP TAG O 
Traffic 
11 MB 
Users 
None 
RISK SCORE 
Machines 
Users 
2 
COMPLIANCE RISK FA... 
Select factors„. 
Save as 
Actions 
V Advanced 
SECURITY RISK FACTO. 
Select factors... 
- 1 of 1 discovered apps 
New policy from search 
Machines 
iTunes 
8 
234 KB 
Transacti 
8 
Jan 6, 2020
Unsanction iTunes in the Cloud App Security portal

Testing Network Filtering in audit mode on Windows 10

In order to start testing the network filtering in Windows 10, we first need to make sure that the Device configuration policy set in Microsoft Intune has landed on our test device. Once set, we can find the following entry in the Windows Defender eventlog.

Event 507, Windows Defender 
General Details 
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the 
settings as this may be the result of malware. 
Old value: Default\Windows Defender Exploit Guard\Network Protection\EnabIeNetworkProtection 
New value: Defender\PoIicy Manaqer\Windows 
Defender Exploit GuardNNetwork Protection\EnabIeNetworkProtection Ox2 
Log Name: 
Source 
Event ID: 
OpCode 
More Information: 
Microsoft-Windows-Windop,s Defender,operational 
Windo'.% Defender 
Information 
SYSTEM 
Info 
kygnt.Lga.Qnling.Hg12 
Logged: 
17/01/2020 
Task Category: None 
Computer: 
DESKTOP-KOM3CB
EventID 5007 in the Windows Defender Eventlog

Once we start iTunes on our Windows 10 test device, we see EventID 1125 appear, detailing that the destination https://init.itunes.apple.com would have been blocked by the Network policy.

Event 1125, Windows Defender 
General Details 
Your IT administrator would have caused Windows Defender Exploit Guard to block a potentially dangerous 
network connection. 
Detection time: 2020-01-17T12: 1852.604Z 
User. s. 1 1929916352 
Destination: httQv.'.'init RQQle cnm 
Process Name: 
iTunes.exe 
Log Name: 
Source 
Event ID: 
OpCode 
More Information: 
Microsoft-Windows-Windop,s Defender,operational 
Defender 
1125 
Information 
SYSTEM 
Info 
kygnt.Lga.Qnling.Hg12 
Logged: 
17/01/2020 
Task Category: None 
Computer: 
DESKTOP-KOM3CB
EventID 1125 in the Windows Defender Eventlog

Modifying the Device Configuration Policy to enable Network filtering

Now that we tested the Network filtering policy in audit mode, we are ready to enable the Network protection by modifying our earlier created Device Configuration Policy.

Network filtering 
outbound conr«tion trom any app to Ic•n reputation IP/domain This can be 
enabled in Audit/EIock mode, 
Leam more O 
äable
Enable Network protection

Network filtering behavior after Network protection is enabled

Once we modified the Device Configuration policy, it’s best to trigger a synchronization on our Windows 10 device so that the device configuration policy becomes active.

This will be reflected by EventID 5007 in the Windows Defender eventlog, detailing that Network

Event 507, Windows Defender 
General Details 
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the 
settings as this may be the result of malware. 
Old value. Defender\PoIicy Manaqer\Windows 
Defender Exploit Guard\Network Protection\EnabIeNetworkProtection Ox2 
New value. Defender\PoIicy Manaqer\Windows 
Defender Exploit GuardNNetwork Protection\EnabIeNetworkProtection Oxl 
Log Name: 
Source 
ID: 
OpCode 
More Information: 
Microsoft-Windows-Windop,s Defender,operational 
Defender 
Information 
SYSTEM 
Info 
kygnt.Lu.Qnling.Hg12 
Logged: 
17/01/2020 132646 
Task Category: None 
Computer: 
DESKTOP-KOM3CB
EventID 5007 in the Windows Defender Eventlog

If we start iTunes now, we receive the following notification

Windows Defender notification in Windows 10

If you don’t receive a notification, it might be that you need to enable notifications first

Windows Security 
Home 
Virus & threat protection 
Account protection 
Firewall & network protection 
App & browser control 
Device security 
Device performance & health 
Family options 
Setf ngs 
Q Notifications 
Windows Security will send notifications with 
critical information about the health and security 
of your device. You can specify which 
informational notifications you want. 
Virus & threat protection 
notifications 
Get informational notifications 
on 
Recent activity and scan results 
Threats found, but no immediate action is 
needed 
Files or activities are blocked 
Virus & threat protection settings 
Account protection notifications 
Get account protection notifications 
on 
Problems with Windows Hello 
Problems with Dynamic lock 
Firewall & network protection 
Have a question? 
Get help 
Help improve Windows Security 
Give us feedback 
Change your privacy settings 
View and change privacy settings 
for your Windows 10 device. 
Privacy settings 
Privacy dashboard 
Privacy Statement
Enable notification for Windows Defender

The corresponding entry in the Windows Defender eventlog is EventID 1126 now detailing that the network connection has been blocked.

Event 1126, Windows Defender 
General Details 
Your IT administrator has caused Windows Defender Exploit Guard to block a potentially dangerous network 
connection. 
Detection time: 2020-01-17T1227:S0053Z 
user: S- 1-12-1-1620780166-1164677675-3462653358-1929916352 
Destination: it. 
process Name: 
\iTunesexe 
Log Name: 
Source: 
Event ID: 
Level: 
User: 
OpCode: 
More Information: 
Microsoft Windows-Windows Defender,operational 
Windows Defender 
1126 
SYSTEM 
Info 
Event Log Online Help 
Logged: 
17/01/2020 132750 
Task Category: None 
Kepvords: 
Computer: 
DESKTOP-KOM3CB
EventID 1126 in the Windows Defender Eventlog

You will also notice that you’ll start receiving errors in the iTunes application itself, an example below:

File Edit Song View Controls Account Help 
Music 
Library 
iTunes 
For You 
Browse 
Radio 
Store 
iTunes could not connect to the iTunes Store, An unknown 
error occurred (0*80090326)_ 
Make your network connection is active and try again. 
iTunes 
Store
Error in iTunes

From the Microsoft Defender Security Center we can now see the following Alert appear which gives us central control about all our unsanctioned cloud apps.

Microsoft Defender Security Center 
@ Security operations > 
Connection to a blocked cloud application was... 
Connection to a blocked cloud 
application was detected 
This alert is part of incident (3) 
Actions v 
Automated investigation is 
not applicable to alert type @ 
Custom TI 
Alert context 
desktop-6com3cb 
azuread\kennethvansurksum 
Low 
Suspicious Activity 
Custom Tl 
Status 
State: 
Classification: 
Assigned to: 
Admin_lnsight24@insight24... 
New 
Not set 
Not assigned 
Severity: 
Category: 
Detection source: 
Description 
First activity: 
Last activity: 
17.01.2020 
17.01.2020 
Endpoint had established a connection with a risky cloud application itunes.apple.com. This 
connection was classified as risky according to your organization Microsoft Cloud App Security 
administrator. You can view the respective indicator under the URLs/Domain tab or from within 
the Microsoft Cloud App Security portal. 
Recommended actions 
A. Validate the alert and scope the suspected breach. 
1. Find related machines, netvuork addresses, and files in the incident graph. 
2. Check for other suspicious activities in the machine timeline. 
3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and 
digital signatures. 
Show more 
Alert process tree 
O Alert process tree is not available for this alert 
This alert is related to I other event not displayed here. 
Last event time is 17.012020 12:18:52. 
Click here to see all related events in the machine timeline.
Alerts in the Microsoft Defender Security Center

Conclusion

Cloud app control is a very welcome addition to the MCAS portfolio, even though Microsoft provided integration with 3rd party solution in order to block network connections in the past, having a direct integration and being able to block cloud app usage directly from the MCAS portal is a really nice solution.

It would be nice though to also be able to block the actual execution of the application on the client as well, by being able to automatically create Applocker policies or configure Device Guard. Perhaps in the future, time will tell.

References

Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security – https://docs.microsoft.com/en-us/cloud-app-security/wdatp-integration

Sanctioning/unsanctioning an app – https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery#BKMK_SanctionApp

Create indicators for IPs and URLs/domains (preview) – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-ips-and-urlsdomains-preview

Enable network protection – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection

Evaluate network protection – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection

Enable network protection in audit mode – https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#enable-network-protection-in-audit-mode

Windows 10 Device Guard Versus AppLocker – https://www.petri.com/windows-10-device-guard-versus-applocker