topic Re: Cortex XDR filter cloud apps for non-sanctioned storage in Cortex XDR Discussions

Cortex XDR filter cloud apps for non-sanctioned storage

landon_cox — Fri, 25 Nov 2022 15:18:28 GMT

My goal is to determine which device/user has used Sanctioned and non-Sanctioned cloud storage, e.g., Onedrive, SpiderOak, NextCloud, Syncthing.

There is a feature in Microsoft Defender for Cloud Apps that i'm hoping to find in Cortex, which contains a specific list of all Cloud Storage that is used and a list of each device/user that has used them. It seems to gather this from EDR telemetry and the information is gathered in one section to easily view. Providing a screenshot from Microsoft's site of the section I'm mentioning.

Any assistance on doing this in Cortex would be great.
Thanks!

Re: Cortex XDR filter cloud apps for non-sanctioned storage

aleksandar.astardzhiev — Sun, 27 Nov 2022 15:18:58 GMT

Hi @landon_cox ,

I am fairly new to Cortex XDR myself, so I don't consider self as completely competent, but I believe you XDR doesn't provide such functionality out of the box. And I would say it expected, Cortex XDR is endpoint protection (in simple terms), while Defender for Cloud Apps is CASB (cloud access security broker). Those are completely different product targeting completely different security domains.

I would probably make some people angry but I would try to simplify and summarize CASB as simple forwarding proxy. As you can imaging any cloud service can be accesses in different ways - using dedicated application or with web browser. In order any CASB product to be able to detect and identify any cloud application/SaaS it needs to be able to inspect the traffic, this way it doesn't matter if you open OneDrive with browser or with app and if you sync directory or download something. And of course the easiest way is to proxy endpoint traffic.

Cortex XDR is not CASB, it is not its focus. Having that said you probably could get similar result, but not as close as real CASB product.

If you already use Palo Alto firewalls and you have SSL decryption for outbound traffic you can Generate the SaaS Application Usage Report (paloaltonetworks.com)

You could also use XQL and build a query that could search for DNS requests for known SaaS domains or network connections to known SaaS IP ranges. Unfortunately there are two problems:

- Since XDR is not CASB there isn't any "signature" that you can use to identify if network traffic is related to SaaS/Cloud App.

- Looking only at DNS logs in EDR logs is not reliable. Depending of how the application is generating the DNS request they could be not logged and not present in the EDR, so it is more reliable to search for network connections, which makes identifying SaaS traffic more difficult - you need to know their IP ranges.

Re: Cortex XDR filter cloud apps for non-sanctioned storage

landon_cox — Wed, 30 Nov 2022 14:40:04 GMT

Thank you for the detailed reply @aleksandar.astardzhiev !

That makes sense on the difference between the two products. I think my question would've been better if comparing Cortex XDR to Microsoft Defender for Endpoint, as Defender for Cloud Apps is just something integrated with it.

With that said, would a similar CASB product to Defender for Cloud Apps be Prisma Cloud? I have been working with building the queries you mentioned for a few weeks though i'm running into the problems you also mentioned. If Prisma Cloud contains similar features then that would be great to know.

Thanks!

Re: Cortex XDR filter cloud apps for non-sanctioned storage

aleksandar.astardzhiev — Wed, 30 Nov 2022 15:26:34 GMT

Hi @landon_cox ,

Palo Alto CASB product is Prisma Acess - https://www.paloaltonetworks.com/sase/access

Unfortunately I don't have any experience with it so I wouldn't be much of a help here.

Just for clarification:

- Prisma SASE - combine Prisma Access and Prisma SD-WAN

- Prisma Access - as mentioned provide CASB functionality and much more (remote access, zero trust access etc)

- Prisma Cloud - cloud-native application protection, cloud workload protection, cloud posture management and cloud network security. This is more for protecting YOUR infrastructure in the public cloud (Azure, AWS, Google etc) and private cloud.

You may find this video interesting regarding Prisma SASE and Prisma Access. - https://www.youtube.com/watch?v=4Yo1K9G3QRE