Skip to content

docs(audit): Defender for Cloud Apps pattern catalog (closes #338)#368

Merged
Daren9m merged 1 commit into
mainfrom
spike/338-defender-for-cloud-apps
Apr 30, 2026
Merged

docs(audit): Defender for Cloud Apps pattern catalog (closes #338)#368
Daren9m merged 1 commit into
mainfrom
spike/338-defender-for-cloud-apps

Conversation

@Daren9m
Copy link
Copy Markdown
Collaborator

@Daren9m Daren9m commented Apr 30, 2026

Summary

Resolves spike #338. Twelfth domain audit under v3.4.0 umbrella (#326). Ships docs/audits/defender-for-cloud-apps.md.

Coverage matrix

Category Total Covered Refresh Gaps
App connectors 3 1 partial 1 2
OAuth app governance 5 3 cross-domain 0 2
Cloud Discovery 3 0 0 3
Session policies 3 0 0 3
Anomaly detection + alert policies 4 0 0 4
Anti-patterns 5 0 0 1 unique (rest fold)
Total 24 4 + 3 cross-domain 1 15 net to file

Stark coverage asymmetry surfaced

Only 1 MDCA-specific check (DEFENDER-CLOUDAPPS-001 = "is MDCA enabled") vs 27 OAuth/app-governance checks in ENTRA-ENTAPP-* + ENTRA-CONSENT-*. CheckID's OAuth coverage is already strong at the Entra layer; this audit's gap list focuses on the uniquely-MDCA surfaces rather than re-cataloguing OAuth.

The biggest gap clusters:

  • Cloud Discovery (3 gaps): ingestion, classification, risk thresholds
  • Session policies (3 gaps): policy presence, CA-pairing requirement, anomaly conditions — including the most common MDCA misconfiguration (session policy created in MDCA UI but no CA policy references it = dead config)
  • Anomaly detection + alert routing (4 gaps): defaults enabled, custom policies, SOC routing, auto-remediation

Strategic note: app governance migration

OAuth governance has migrated from MDCA-specific into Microsoft 365 Defender's "App Governance" feature (Graph beta /security/applicationGovernance/policies). Modern path uses the Defender Graph endpoint, not MDCA's own dashboard. The audit doc flags this so future MDCA-related work targets the right surface.

Detection-method first: per-tenant URL endpoint

This is the first audit where detection lives in a per-tenant URL endpoint (https://<tenant>.portal.cloudappsecurity.com/api/) rather than standard Graph. Detection logic needs URL discovery + separate OAuth flow + API tokens (separate from Graph SP auth).

Threat-pattern map highlights

Compromise pattern Tradecraft Primary control
OAuth consent abuse Storm-X campaigns; phishing user into granting OAuth scope App governance auto-revoke + verified-publisher restriction
Sudden surge of new app consent Storm-0539 consent campaigns Recent consent activity surge detection
Unsanctioned SaaS access / shadow IT Users discovering exfil paths via personal SaaS Cloud Discovery ingestion + classification
Sensitive download from unmanaged device BYOD-flavored data exfil from sensitive SaaS Session policy block-download + CA pairing
Impossible travel sign-in Compromised credentials used from unusual geography Default anomaly policies + auto-remediation
Multi-cloud blind spot Org uses Azure + AWS + GCP; only M365 visibility Third-party SaaS connectors

Files

  • docs/audits/defender-for-cloud-apps.md — 289 lines
  • CHANGELOG.md[Unreleased] / Documentation entry

Test plan

Out of scope

Progress on v3.4.0 audit umbrella

12 of 14 domain audits done. Identity stack done (CA, PIM, MFA enforcement, auth methods, token/session, external collab). Collaboration triad done (MDO, SPO, Teams). Mail flow + Intune + MDCA done.

Remaining (2):

Suggest #336 (Power Platform) next — smaller and resolves the open PBI-*POWERBI-* namespace duplication chore. Save #335 (Purview, the largest) for last.

🤖 Generated with Claude Code

@Daren9m @claude
docs(audit): Defender for Cloud Apps pattern catalog (closes #338)
7b5bb95 
Twelfth domain audit under v3.4.0 umbrella (#326). Resolves spike #338.

docs/audits/defender-for-cloud-apps.md catalogs 24 canonical patterns
across 5 sub-domains (app connectors, OAuth app governance, Cloud
Discovery, session policies, anomaly detection + alert policies).

Surfaces a STARK COVERAGE ASYMMETRY: only 1 MDCA-specific check
(DEFENDER-CLOUDAPPS-001 = "is MDCA enabled") versus 27 OAuth /
app-governance checks in ENTRA-ENTAPP-* + ENTRA-CONSENT-* namespaces.
The OAuth dimension that MDCA's spike covers is already strong at the
Entra layer (cross-domain to #328 PIM and the app registration tier).

Audit gap list focuses on uniquely-MDCA surfaces:
- Cloud Discovery (3 gaps: ingestion, classification, risk thresholds)
- Session policies (3 gaps: presence, CA pairing, anomaly conditions)
- Anomaly detection + alert policies (4 gaps: defaults, custom,
  routing, auto-remediation)
- App connectors (2 gaps: third-party SaaS, scope review)

Plus 2 OAuth-side gaps that MDCA-specifically surfaces beyond the
Entra checks (auto-revoke policies, consent-surge detection from
Storm-X tradecraft).

Strategic note: OAuth governance has migrated from MDCA-specific into
Microsoft 365 Defender's "App Governance" feature (Graph beta
/security/applicationGovernance/policies). Modern path uses the
Defender Graph endpoint, not MDCA's own dashboard.

15 gap CheckIDs to file; 1 narrative-refresh chore; 1 cross-spike
consolidation (MDCA session policy + CA App Control grant pairing —
most common MDCA misconfiguration).

DETECTION-METHOD FIRST: this is the first audit where detection lives
in a per-tenant URL endpoint (https://<tenant>.portal.cloudappsecurity.com/api/)
rather than standard Graph. Appendix documents:
- Per-tenant URL discovery requirement
- MDCA's own OAuth flow + API tokens (separate from Graph SP auth)
- App Governance vs MDCA OAuth governance overlap (Microsoft has
  migrated to Defender Graph endpoint)
- License detection ("not licensed" vs "available but unused")
- Cloud Discovery requires log ingestion ("no reports" can mean 3
  different things)
- Session policy + CA pairing dependency (most common MDCA
  misconfiguration)
- Anomaly policy thresholds vary with Microsoft tuning

Threat-pattern map covers OAuth consent abuse / Storm-X campaigns,
sudden surge of app consent (Storm-0539), unsanctioned SaaS access /
shadow IT, sensitive download from unmanaged device, impossible travel,
mass file download / bulk delete, and multi-cloud blind spot.

Same template as #327, #328, #329, #330, #331, #332, #333, #334, #337,
#339, #340.

Closes #338

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

Framework mapping count delta

Framework main this PR Δ Δ% Status
cis-controls-v8 1020 1020 0 +0.00% ✓ OK
cis-m365-v6 180 180 0 +0.00% ✓ OK
cisa-scuba 52 52 0 +0.00% ✓ OK
cmmc 1080 1080 0 +0.00% ✓ OK
eidsca 21 21 0 +0.00% ✓ OK
essential-eight 630 630 0 +0.00% ✓ OK
fedramp 1072 1072 0 +0.00% ✓ OK
gdpr 11 11 0 +0.00% ✓ OK
hipaa 501 501 0 +0.00% ✓ OK
iso-27001 1020 1020 0 +0.00% ✓ OK
iso-27002 1020 1020 0 +0.00% ✓ OK
iso-27017 1012 1012 0 +0.00% ✓ OK
mitre-attack 892 892 0 +0.00% ✓ OK
nis2 311 311 0 +0.00% ✓ OK
nist-800-171 1080 1080 0 +0.00% ✓ OK
nist-800-53 1072 1072 0 +0.00% ✓ OK
nist-csf 826 826 0 +0.00% ✓ OK
pci-dss 1052 1052 0 +0.00% ✓ OK
soc2 1103 1103 0 +0.00% ✓ OK
stig 13 13 0 +0.00% ✓ OK

Result: ✓ PASS — no framework mapping regressions detected.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

Content enrichment population

Overall (1105 checks): rationale 26.3% (291/1105) • impact 26.3% (291/1105) • references 26.3% (291/1105)

Framework n rationale impact references
cis-controls-v8 1020 25.1% (256/1020) 25.1% (256/1020) 25.1% (256/1020)
cis-m365-v6 180 100.0% (180/180) 100.0% (180/180) 100.0% (180/180)
cisa-scuba 52 100.0% (52/52) 100.0% (52/52) 100.0% (52/52)
cmmc 1080 26.3% (284/1080) 26.3% (284/1080) 26.3% (284/1080)
eidsca 21 100.0% (21/21) 100.0% (21/21) 100.0% (21/21)
essential-eight 630 22.2% (140/630) 22.2% (140/630) 22.2% (140/630)
fedramp 1072 27.1% (291/1072) 27.1% (291/1072) 27.1% (291/1072)
gdpr 11 100.0% (11/11) 100.0% (11/11) 100.0% (11/11)
hipaa 501 33.3% (167/501) 33.3% (167/501) 33.3% (167/501)
iso-27001 1020 26.6% (271/1020) 26.6% (271/1020) 26.6% (271/1020)
iso-27002 1020 26.6% (271/1020) 26.6% (271/1020) 26.6% (271/1020)
iso-27017 1012 26.0% (263/1012) 26.0% (263/1012) 26.0% (263/1012)
mitre-attack 892 30.7% (274/892) 30.7% (274/892) 30.7% (274/892)
nis2 311 25.7% (80/311) 25.7% (80/311) 25.7% (80/311)
nist-800-171 1080 26.3% (284/1080) 26.3% (284/1080) 26.3% (284/1080)
nist-800-53 1072 27.1% (291/1072) 27.1% (291/1072) 27.1% (291/1072)
nist-csf 826 31.1% (257/826) 31.1% (257/826) 31.1% (257/826)
pci-dss 1052 26.3% (277/1052) 26.3% (277/1052) 26.3% (277/1052)
soc2 1103 26.4% (291/1103) 26.4% (291/1103) 26.4% (291/1103)
stig 13 100.0% (13/13) 100.0% (13/13) 100.0% (13/13)

Informational only — does not gate the build. The hard release-gate for Critical/High enrichment lives in #281 (v3.2.0).

@Daren9m Daren9m merged commit 9bf7182 into main Apr 30, 2026
8 checks passed
@Daren9m Daren9m deleted the spike/338-defender-for-cloud-apps branch April 30, 2026 13:41
This was referenced Apr 30, 2026
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Daren9m