Cortex XDR filter cloud apps for non-sanctioned storage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR filter cloud apps for non-sanctioned storage

L0 Member

My goal is to determine which device/user has used Sanctioned and non-Sanctioned cloud storage, e.g., Onedrive, SpiderOak, NextCloud, Syncthing. 

There is a feature in Microsoft Defender for Cloud Apps that i'm hoping to find in Cortex, which contains a specific list of all Cloud Storage that is used and a list of each device/user that has used them. It seems to gather this from EDR telemetry and the information is gathered in one section to easily view. Providing a screenshot from Microsoft's site of the section I'm mentioning. 

 

Any assistance on doing this in Cortex would be great. 
Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @landon_cox ,

I am fairly new to Cortex XDR myself, so I don't consider self as completely competent, but I believe you XDR doesn't provide such functionality out of the box. And I would say it expected, Cortex XDR is endpoint protection (in simple terms), while Defender for Cloud Apps is CASB (cloud access security broker). Those are completely different product targeting completely different security domains.

 

I would probably make some people angry but I would try to simplify and summarize CASB as simple forwarding proxy. As you can imaging any cloud service can be accesses in different ways - using dedicated application or with web browser. In order any CASB product to be able to detect and identify any cloud application/SaaS it needs to be able to inspect the traffic, this way it doesn't matter if you open OneDrive with browser or with app and if you sync directory or download something. And of course the easiest way is to proxy endpoint traffic.

 

Cortex XDR is not CASB, it is not its focus. Having that said you probably could get similar result, but not as close as real CASB product.

If you already use Palo Alto firewalls and you have SSL decryption for outbound traffic you can Generate the SaaS Application Usage Report (paloaltonetworks.com)

 

You could also use XQL and build a query that could search for DNS requests for known SaaS domains or network connections to known SaaS IP ranges. Unfortunately there are two problems:

- Since XDR is not CASB there isn't any "signature" that you can use to identify if network traffic is related to SaaS/Cloud App.

- Looking only at DNS logs in EDR logs is not reliable. Depending of how the application is generating the DNS request they could be not logged and not present in the EDR, so it is more reliable to search for network connections, which makes identifying SaaS traffic more difficult - you need to know their IP ranges.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @landon_cox ,

I am fairly new to Cortex XDR myself, so I don't consider self as completely competent, but I believe you XDR doesn't provide such functionality out of the box. And I would say it expected, Cortex XDR is endpoint protection (in simple terms), while Defender for Cloud Apps is CASB (cloud access security broker). Those are completely different product targeting completely different security domains.

 

I would probably make some people angry but I would try to simplify and summarize CASB as simple forwarding proxy. As you can imaging any cloud service can be accesses in different ways - using dedicated application or with web browser. In order any CASB product to be able to detect and identify any cloud application/SaaS it needs to be able to inspect the traffic, this way it doesn't matter if you open OneDrive with browser or with app and if you sync directory or download something. And of course the easiest way is to proxy endpoint traffic.

 

Cortex XDR is not CASB, it is not its focus. Having that said you probably could get similar result, but not as close as real CASB product.

If you already use Palo Alto firewalls and you have SSL decryption for outbound traffic you can Generate the SaaS Application Usage Report (paloaltonetworks.com)

 

You could also use XQL and build a query that could search for DNS requests for known SaaS domains or network connections to known SaaS IP ranges. Unfortunately there are two problems:

- Since XDR is not CASB there isn't any "signature" that you can use to identify if network traffic is related to SaaS/Cloud App.

- Looking only at DNS logs in EDR logs is not reliable. Depending of how the application is generating the DNS request they could be not logged and not present in the EDR, so it is more reliable to search for network connections, which makes identifying SaaS traffic more difficult - you need to know their IP ranges.

L0 Member

Thank you for the detailed reply @Astardzhiev !

That makes sense on the difference between the two products. I think my question would've been better if comparing Cortex XDR to Microsoft Defender for Endpoint, as Defender for Cloud Apps is just something integrated with it.  

With that said, would a similar CASB product to Defender for Cloud Apps be Prisma Cloud? I have been working with building the queries you mentioned for a few weeks though i'm running into the problems you also mentioned.  If Prisma Cloud contains similar features then that would be great to know. 

Thanks!

Hi @landon_cox ,

Palo Alto CASB product is Prisma Acess - https://www.paloaltonetworks.com/sase/access

Unfortunately I don't have any experience with it so I wouldn't be much of a help here.

 

Just for clarification:

- Prisma SASE - combine Prisma Access and Prisma SD-WAN

- Prisma Access - as mentioned provide CASB functionality and much more (remote access, zero trust access etc)

- Prisma Cloud - cloud-native application protection, cloud workload protection, cloud posture management and cloud network security. This is more for protecting YOUR infrastructure in the public cloud (Azure, AWS, Google etc) and private cloud.

 

You may find this video interesting regarding Prisma SASE and Prisma Access. - https://www.youtube.com/watch?v=4Yo1K9G3QRE

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!