Wednesday, January 12, 2022

Protect your Smartsheet Deployment using Microsoft Defender for Cloud Apps

By Erin Boris, Idan Basre and Yoann Mallet

 

One of the latest app connectors to be added to Microsoft Defender for Cloud Apps is for Smartsheet.

As we have in the past for other protected apps, we would like to share a few examples of how to use it to secure your Smartsheet deployment.

 

Why Connect Smartsheet?

As with other apps, connecting Smartsheet to Defender for Cloud Apps allows you to leverage some of the built-in features of your favorite CASB, such as:

 

Benefit

Description

Policy or template

Threat and Anomaly Detection

Detect cloud threats, compromised accounts, and malicious insiders

The following built-in Threat detection policies automatically apply when Defender for Cloud Apps is connected to Smartsheet:

·       Unusual file share activities

·       Unusual file deletion activities

·       Unusual administrative activities

·       Unusual multiple file download activities

 

Audit, investigation, and hunting

Use the audit trail of activities for forensic investigations

Leverage Advanced Hunting Queries as part of the Microsoft 365 Defender Portal to audit the use of Smartsheet and create policies

 

How to connect Smartsheet?

Let’s start with connecting Smartsheet.

Detailed instructions are available here, and if you prefer our video, check it out below:

 

 

Leverage Microsoft Defender for Cloud Apps with Smartsheet

The best way to get quick value from Defender for Cloud Apps when protecting Smartsheet, is to use the Advanced Hunting feature in the Microsoft 365 Defender portal.

If you have not used that portal just yet, simply visit http://security.microsoft.com and you will be redirected to it.

Once there browse to advanced hunting. This will enable you to write your own KQL queries to gather relevant information from the Defender for Cloud Apps activity logs.

Here are two relevant examples:

 

Scenario 1: New user invited, has an external email address

Having a new user invited to Smartsheet with an external email address may be suspicious. In order to detect this, you can leverage the following KQL Query:

 

 

CloudAppEvents
| where Application == "Smartsheet"
|extend a=parse_json(RawEventData).additionalDetails 
|extend email=a.emailAddress
| where ActionType == "User Accept Invite"
and email  !contains "contoso.com" 
| project Timestamp,Application, AccountDisplayName, ActionType,email

 

 

Below is an example of the result of that query in Advanced Hunting:

YoannMallet_0-1641841350218.png

 

This can potentially help you detect any attempt to exfiltrate data or identify a malicious user enabling an external account.

Another option to view all accounts with external email addresses that currently have access to Smartsheet, is from the API connector properties in Defender for Cloud Apps.

 

YoannMallet_1-1641841350271.png

 

A filter can be used to see all external accounts that have accepted an invitation.

 

Scenario 2: File sent as attachment to external email address

When files are sent as an attachment from Smartsheet directly, to an external email address, this can be a sign of data exfiltration.

In order to identify such activities, you can leverage the following KQL Query:

 

 

CloudAppEvents
| where Application == "Smartsheet"
|extend a=parse_json(RawEventData).additionalDetails 
|extend Recipient=a.recipientEmail
| where ActionType =="Sheet Send As Attachment"
and Recipient  !contains "contoso.com" 
| project Timestamp,Application, AccountDisplayName, ActionType,Recipient

 

 

Creating alerts from these queries

In addition to detecting these actions, Microsoft 365 Defender also allows you to create your own custom detections, and identify when these occur in near real-time, as described here.

 

As you can imagine, when using such powerful queries, the sky is the limit! Feel free to share any relevant KQL query you have identified for Smartsheet in the comments below.

 

Resources:

For more information about the features discussed in this article, please read:

Feedback

We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing CASFeedback@microsoft.com and mentioning the area or pillar in Cloud App Security you wish to discuss.

Learn more

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:

Join the conversation on Tech Community

Stay up to date—subscribe to our blog

Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network.

Learn more—download Top 20 use cases for CASB.

Connect your cloud apps to detect suspicious user activity and exposed sensitive data.

Search documentation on Microsoft Cloud App Security

Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment.

Understand your licensing options

Continue with more advanced use cases across information protection, compliance, and more.

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training. Read up on recent blogs: aka.ms/MCASMarch2021

Go deeper with these interactive guides:

·       Discover and manage cloud app usage with Microsoft Cloud App Security

·       Protect and control information with Microsoft Cloud App Security

·       Detect threats and manage alerts with Microsoft Cloud App Security

·       Automate alerts management with Microsoft Power Automate and Cloud App Security

 

 

Posted at https://sl.advdat.com/3FgiwMl