Cloud discovery

The cloud discovery dashboard is one of MDCA's key features. The initial dashboard provides charts and graphs of the cloud apps (essentially websites) being used within your environment. The charts can be adjusted to look at different metrics, whether it be total users or traffic a cloud app is generating.

The next few tabs in cloud discovery will give you will give you a filterable list view of cloud apps being used, resources, IPs, devices, and users.

Data displayed here can come from a few different sources:

• Defender for Endpoint onboarded devices
• Firewall logs
  • Snapshot reports
  • Continuous reporting
  • Automatic log uploads

Once you have this data, this tool can also help identify shadow IT within the environment, these are applications being used without the approval or knowledge of IT leadership, potentially exposing your sensitive data or assets. Then utilizing app discovery policies you can generate alerts for new risky apps, apps with high volume uploads and other criteria to help monitor your environment. This tool is truly beneficial and worth setting up, even if you feel you already have similar information within another tool.

Warning

Depending on your organization, if you are not positive you are going to use this data and feel the nature of this data may be sensitive, consider using anonymization. While not 100% anonymous it does provide an extra layer of protection to the data. Since we can set up policies to generate alerts automatically on this data, I wouldn't call this "dark data" if you don't plan to use the dashboard, but do be aware there are additional protection options for your data.

Discovered apps

I believe discovered apps is the main area of interest within cloud discovery. These are all the cloud apps being used by your users over the period of time set in the top right-hand corner. Every cloud app in this list comes from the cloud app catalog and is assigned a risk score from 0 to 10, 0 being particularly risky and 10 being relatively safe. I do a deep dive on app scoring over in the score metrics setting article, but the risk score is created by a combination of company information and their security, legal, and compliance practices.

To see detailed information about the makeup of a cloud app's risk you can select the row the cloud app is on, and it will expand, if you click the link for the cloud app name it will take you to detailed usage information for the cloud app such as users and devices using the app as well as traffic metrics.

On the cloud app itself you can mark an app as sanctioned, unsanctioned, or monitored, these are known as app tags. Tagging an application is primarily for organization, however you can configure MDCA to work with MDE and block unsanctioned cloud apps as well as warning users about monitored cloud apps.