Breadcrumbs

Rule 9 - Default Data Source for Defender for Cloud Apps

Rule Synopsis

This rule describes the default data source used by CI Sync when reading data from Defender for Cloud Apps.

Customers starting to use the CI Sync connector for Defender for Cloud Apps need to understand the following about Defender for Cloud Apps:

  1. Customers should understand how/where Defender for Cloud Apps consumes incoming data sources (i.e. logs from Defender for Endpoint, or logs from 3rd party firewall and similar applications/appliances).

  2. Customers should understand how Defender for Cloud Apps exposes the resulting analysis of the data sources (i.e. how Defender exposes the list of cloud applications, the users associated with each cloud application, and other metadata about each cloud application).

High-level explanation of the sources of data used by Defender for Cloud Apps

Cloud Discovery (which is a key component of Defender for Cloud Apps) analyzes traffic logs against the Microsoft Defender for Cloud Apps catalog (which consists of over 30,000 cloud applications).

Customers need to configure Cloud Discovery in Defender for Cloud Apps before using CI Sync to synchronize the related data into their ServiceNow CMDB.

Syncfish recommend customers read the Microsoft Defender for Cloud Apps documentation repository to build a repository of Cloud Discovery that can be used by CI Sync. Please read:

  1. Read the following article for a complete overview of Defender for Cloud Apps: https://learn.microsoft.com/en-us/defender-cloud-apps/

  2. Read the following article for information specific to Cloud App Discovery: https://learn.microsoft.com/en-us/defender-cloud-apps/set-up-cloud-discovery

The second article above (on Cloud App Discovery) explains the use of Snapshot and Continuous Risk Assessment Reports. These Risk Assessment reports expose the data that CI Sync reads from Defender for Cloud Apps.

As such, these are a key topic to understand when getting started with the CI Sync connector for Defender for Cloud Apps.


Rule Details

  • By default, CI Sync uses the out-of-the-box Microsoft Defender for Endpoint risk assessment report (in Defender for Cloud Apps this is called a “continuous risk assessment report”, which is distinct from a “snapshop risk assessment” report).

Override Options

Context

Customers may want to use a risk assessment report other than the out-of-the-box one Microsoft Defender for Endpoint.

This may be required if a customer is not using Defender for Endpoint (as the log source to Defender for Cloud Apps) and instead are sending firewall application/appliance logs to Defender for Cloud Apps.

Options

Syncfish can amend CI Sync to read from one/more risk assessment reports other than the out-of-the-box one Microsoft Defender for Endpoint.

Overriding via Connection Settings

N/A

Additional Information

N/A

N/A

Support Model for Rule Overrides

Question: Can overrides be performed by customers without a Syncfish Extended Implementation and Support Plan?

Answer: No (a plan is needed - see below)

Question: Which Syncfish Extended Implementation and Support Plan is required to obtain overrides of this rule

Answer: Either a Silver Plan or Gold Plan