11-27-2022 07:18 AM
Hi @landon_cox ,
I am fairly new to Cortex XDR myself, so I don't consider self as completely competent, but I believe you XDR doesn't provide such functionality out of the box. And I would say it expected, Cortex XDR is endpoint protection (in simple terms), while Defender for Cloud Apps is CASB (cloud access security broker). Those are completely different product targeting completely different security domains.
I would probably make some people angry but I would try to simplify and summarize CASB as simple forwarding proxy. As you can imaging any cloud service can be accesses in different ways - using dedicated application or with web browser. In order any CASB product to be able to detect and identify any cloud application/SaaS it needs to be able to inspect the traffic, this way it doesn't matter if you open OneDrive with browser or with app and if you sync directory or download something. And of course the easiest way is to proxy endpoint traffic.
Cortex XDR is not CASB, it is not its focus. Having that said you probably could get similar result, but not as close as real CASB product.
If you already use Palo Alto firewalls and you have SSL decryption for outbound traffic you can Generate the SaaS Application Usage Report (paloaltonetworks.com)
You could also use XQL and build a query that could search for DNS requests for known SaaS domains or network connections to known SaaS IP ranges. Unfortunately there are two problems:
- Since XDR is not CASB there isn't any "signature" that you can use to identify if network traffic is related to SaaS/Cloud App.
- Looking only at DNS logs in EDR logs is not reliable. Depending of how the application is generating the DNS request they could be not logged and not present in the EDR, so it is more reliable to search for network connections, which makes identifying SaaS traffic more difficult - you need to know their IP ranges.
