Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 01: Turn on Cloud Discovery and seed data

Security Architecture Team

  1. In the Defender XDR portal’s leftmost pane, go to System > Settings.

  2. Select Cloud Apps.

  3. Under the Cloud Discovery section, select Snapshot reports.

  4. At the top of the page, select Create snapshot report.

    txkl36oz.jpg

  5. In the dialog, select Next.

  6. On the REPORT DETAILS step, enter the following:

    Item Value
    Report Name CloudDiscoverySampleReport
    Source Custom log format…

  7. In the Custom log format dialog, if it’s not filled in by default, enter the following:

    Item Value
    Parser name CSVParser
    Delimiter Comma
    Timestamp column name Timestamp format
    Timestamp format d/M/yyyy HH:mm:ss a
    Source IP address column name Source IP
    Destination URL address column name Destination IP/URL
    Destination URL format https://www.contoso.com

    4gs2g3fm.jpg

  8. At the bottom of the dialog, select Save.

  9. Select Next.

    tayt3k9w.jpg

  10. Under Upload traffic logs, select Browse.

  11. Go to C:\LabFiles\E5.

  12. Select CloudDiscoverySample.csv, then select Open.

    wbcfc6ww.jpg

  13. Select Upload logs.

  14. Once finished, select Close.

  15. On the table, wait until Status shows Ready.

    t7m227cw.jpg

    Processing usually happens within 10 minutes. Periodically refresh the page.

  16. Once Ready, select the report.

  17. In the leftmost pane, go to Cloud apps > Cloud app catalog.

  18. Sort the table by descending Risk score and note the top risky applications.

    ehdof4o6.jpg

Security Engineering and Administration

  1. In the Defender XDR portal’s leftmost pane, go to System > Settings.

  2. Select Endpoints.

  3. Ensure Microsoft Defender for Cloud Apps is set to On (if using MDE).

    vrzizy0k.jpg

  4. If this was just enabled, select Save preferences at the bottom.

  5. On the Endpoints page menu, under Permissions, select Device groups.

    5y7xwqur.jpg

  6. At the top of the page, select Add device group.

  7. Enter the following, then select Next:

    Item Value
    Device group name PilotDeviceGroup
    Remediation level No automated response

  8. On the Devices step, set Name, Starts with, win, then select Next.

    0wx75p4n.jpg

  9. Select Next through the remaining steps, then select Submit.

  10. In the dialog for No user groups selected, select Continue.

SOC Analyst

  1. In the Defender XDR portal’s leftmost pane, go to System > Settings.

  2. Select Cloud Apps.

  3. Under the Cloud Discovery section, select Snapshot reports.

  4. Select CloudDiscoverySampleReport.

    nerz0yyb.jpg

    Created by the Architect in Task 01 of this Exercise.

  5. Explore the various tabs to see what’s being reported.