Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 Understanding XDR

Task 05: Enable Third-party App Discovery & Integration with Defender for Cloud Apps (MDA)

Discover third-party SaaS usage with Defender for Cloud Apps, connect supported apps, track Secure Score improvements, and harden endpoints using attack surface reduction rules.

  1. Enable Cloud Discovery log collection.

    Expand here to enable Cloud Discovery

    1. In the Defender portal, go to System > Settings.

    2. Select Cloud Apps and under Cloud Discovery, select Automatic log upload.

    3. Enable Automatic log upload (if firewall/proxy logs are used).

      Optionally configure Continuous reports and Score metrics.

    4. In the leftmost pane, go to Cloud apps > Cloud discovery.

    5. Select the Discovered apps tab to review sanctioned/unsanctioned usage and risk scores.

    You do not need to complete the following step in the lab; it is provided for awareness.

    • Connect third-party SaaS apps using API app connectors.
    • In the Defender portal, go to System > Settings > Cloud Apps > App Connectors.
    • Select + Connect an app, choose an app (for example, Box, Google Workspace, ServiceNow).
    • Follow the OAuth/API prompts.

  2. Configure Secure Score tracking in Microsoft 365.

    Expand here to configure Secure Score

    1. On the leftmost pane, select Exposure management, then Secure score.

    2. Select the Recommended actions tab.

    3. In the upper-right corner of the table, select Filter.

    4. Select Category, then Identity, then select Apply.

    5. In the table, select Ensure multifactor authentication is enabled for all users.

      If it is already completed, then select Ensure ‘Self service password reset enabled’ is set to ‘All’.

    6. At the bottom of the flyout pane, select Manage in Microsoft Entra ID to configure the setting in Microsoft Entra.

    Check on the following steps

    • After completion, return to Secure Score.
    • Near the top of the flyout pane, select Edit status & action plan, set the status to Completed, and select Save and close.

  3. Harden endpoints with Attack Surface Reduction (ASR) rules in Intune.

    Expand here to configure ASR rules in Intune

    1. Open a new browser tab and go to Microsoft Intune.

    2. In the leftmost pane, select Endpoint security.

    3. Select Manage > Attack surface reduction, and then select + Create policy.

    4. Under Platform, select Windows.

    5. Under Profile, select Attack Surface Reduction Rules.

    6. Select Create.

    7. On the Basics tab, under Name, enter Attack Surface Reduction Policy, then select Next.

    8. On the Configuration settings tab, set Block execution of potentially obfuscated scripts to Block.

    9. Select Next.

    10. Select Next through the remaining steps to accept defaults.

    11. Select Save to create the policy.

Attack Surface Reduction Rules - Quick Reference

Rule Why it matters
Block execution of potentially obfuscated scripts Prevents attackers from hiding malicious code inside scripts (for example, PowerShell, JavaScript).
Block credential stealing from LSASS Protects against credential theft techniques commonly used by attackers.
Block process creations from PSExec and WMI commands Stops lateral movement using remote execution tools.
Block Office apps from creating child processes Reduces risk of macro-based malware spawning other processes.
Block Office apps from injecting code into other processes Prevents advanced malware from hijacking trusted apps.
Block untrusted and unsigned processes from running from USB/removable drives Protects against malware delivered through removable media.

Only the obfuscated scripts rule is required for this exercise, but the others are included here as best practices.