Home
Mapping Frameworks
Azure Home
Cloud App Security Policies

Azure cloud_app_security_policies Mappings

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

Mappings

Capability ID	Capability Description	Category	Value	ATT&CK ID	ATT&CK Name	Notes
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1078	Valid Accounts	Comments This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1078.004	Cloud Accounts	Comments This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user". References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1078.002	Domain Accounts	Comments This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user". References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1078.001	Default Accounts	Comments This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user". References
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1567	Exfiltration Over Web Service	Comments This control can limit user methods to send data over web services. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1567	Exfiltration Over Web Service	Comments This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1567.002	Exfiltration to Cloud Storage	Comments This control can identify large volume potential exfiltration activity. References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1567.002	Exfiltration to Cloud Storage	Comments This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)". References
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1567.001	Exfiltration to Code Repository	Comments This control can identify large volume potential exfiltration activity. References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1567.001	Exfiltration to Code Repository	Comments This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)". References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1189	Drive-by Compromise	Comments This control can detect outdated client browser software, which is a common target of exploitation in drive-by compromises. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1535	Unused/Unsupported Cloud Regions	Comments This control can detect unusual region and activity for cloud resources (preview feature as of this writing). Relevant alert is "Suspicious creation activity for cloud region". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	significant	T1187	Forced Authentication	Comments This control can provide significant protection against forced authentication methods by restricting actions associated with multiple file access methods such as SMB. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	significant	T1187	Forced Authentication	Comments This control can alert on anomalous sharing attempts of confidential data. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1530	Data from Cloud Storage Object	Comments This control can detect use of unsanctioned business apps and data exfil to unsanctioned storage apps. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1528	Steal Application Access Token	Comments This control can restrict user app permissions which can limit the potential for theft of application access tokens. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1528	Steal Application Access Token	Comments This control can detect potentially risky apps. Relevant alerts include "Misleading publisher name for an Oauth app" and "Misleading OAuth app name". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1526	Cloud Service Discovery	Comments This control can detect anomalous user activity that may be associated with cloud service discovery. Relevant alert is "Unusual file share activty (by user)". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	minimal	T1213	Data from Information Repositories	Comments This control can provide fine-grained access control to information sharing repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1213	Data from Information Repositories	Comments This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1213.002	Sharepoint	Comments This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1213.002	Sharepoint	Comments This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. References
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1213.001	Confluence	Comments This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1213.001	Confluence	Comments This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. References
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1119	Automated Collection	Comments This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1119	Automated Collection	Comments This control can detect sensitive information at rest, which may be indicative of data collection activities. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1565	Data Manipulation	Comments This control can detect and encrypt sensitive information at rest on supported platforms and restrict access. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1565.001	Stored Data Manipulation	Comments This control can detect and encrypt sensitive information at rest on supported platforms. References
cloud_app_security_policies	Cloud App Security Policies	protect	partial	T1133	External Remote Services	Comments This control's polices for access control can limit abuse of external facing remote services. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1133	External Remote Services	Comments This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	protect	significant	T1219	Remote Access Software	Comments This control can limit potential C2 via unapproved remote access software. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1219	Remote Access Software	Comments This control can identify potential malicious activity associated with the use or attempted use of unapproved remote access software. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1484	Domain Policy Modification	Comments This control can detect admin activity from risky IP addresses. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1484.002	Domain Trust Modification	Comments This control can detect admin activity from risky IP addresses. References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1484.001	Group Policy Modification	Comments This control can detect admin activity from risky IP addresses. References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1098	Account Manipulation	Comments This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1098.003	Add Office 365 Global Administrator Role	Comments This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1098.001	Additional Cloud Credentials	Comments This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1098.002	Exchange Email Delegate Permissions	Comments This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1578	Modify Cloud Compute Infrastructure	Comments This control can identify anomalous admin activity. Relevant alerts include "Multiple storage deletion activities", "Multiple VM creation activities", and "Suspicious creation activity for cloud region". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1578.004	Revert Cloud Instance	Comments This control can identify anomalous admin activity. References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1578.003	Delete Cloud Instance	Comments This control can identify anomalous admin activity. References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1578.001	Create Snapshot	Comments This control can identify anomalous admin activity. References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1578.002	Create Cloud Instance	Comments This control can identify anomalous admin activity. References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1531	Account Access Removal	Comments This control can identify anomalous admin activity. References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1496	Resource Hijacking	Comments This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1485	Data Destruction	Comments This control can identify deletion activity which could be potential malicious data destruction. Relevant Alerts include "Multiple storage deletion activities", "Multiple VM deletion activity", "Unusual file deletion activity (by user), "Suspicous email deletion activiy", and "Ransomware activity". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1486	Data Encrypted for Impact	Comments This control can detect a range of ransomware-related activities including encryption. Relevant alert include "Ransomware activities" and "Unusual file deletion activity (by user)". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1071	Application Layer Protocol	Comments This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1071.003	Mail Protocols	Comments This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule". References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1110	Brute Force	Comments This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1110.004	Credential Stuffing	Comments This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1110.003	Password Spraying	Comments This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". References
cloud_app_security_policies	Cloud App Security Policies	detect	partial	T1110.001	Password Guessing	Comments This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". References
cloud_app_security_policies	Cloud App Security Policies	detect	minimal	T1534	Internal Spearphishing	Comments This control can identify anomalous user impersonation activity, which can be an element of internal spearphishing. Relevant alert is "Unusual impersonated activity (by user)". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts