HOTSPOT -
You purchase a Microsoft 365 subscription.
You plan to configure Microsoft Cloud App Security.
You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
Policy template type: Activity Policy Filter based on: IP address tag Tested on the MCAS portal. When you select Activity policy only you get to filter from IP address.
its NOT Activity Policy, as per https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy anomaly-detection-policy: Activity from suspicious IP addresses: This detection identifies that users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account. This detection uses a machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
anomaly detection policy doesn't exists
It actually does, it is called cloud discovery anomaly detection policy; but not suitable for this question as you cannot filter by any of the mentioned filters in the question.
There are Anomaly Detection Policies as pre-built templates to use UEBA specifically for suspicious IP Address behavior (Botnet C&C) BUT it does not have a filter, only a source. So, correct. A custom policy with a filter would have to come from an Activity Policy, albeit redundant.
Agreeing with this answer, just tested it as well. Activity Policy Type. Filter: IP address> Tag >equals >Botnet Access Policy: Does not seem to have a filter section. Cloud Discovery Anomaly Detection Policy: Does not meet any of the options to filter here.
Control -> Templates -> Logon from a risky IP address -> Create (activity) policy -> Activities matching any of the following -> IP address | Category | equals | Risky. Answer is Activity policy, IP address. For anyone who thinks it's "Anomaly detection policy", state the exact steps please and say why the steps above are wrong.
Activity from suspicious IP addresses This detection identifies that users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account. This detection uses a machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization
Question in Exam today. 12-02-23. Answer is = activity policy, ip address tag
Policy template type: Activity Policy Filter based on: IP address tag Activity policies in Cloud App Security are designed to detect specific types of activity in the cloud apps that are being monitored. The "Botnet Network Activity" policy template is a pre-defined policy that is designed to detect and alert on suspicious activity from botnet networks. This policy uses a combination of machine learning and threat intelligence to identify botnet network activity, such as attempts to compromise accounts or access sensitive data. "Access Policy," is a type of policy that is used to control access to specific cloud apps or resources based on specified conditions, such as the location of the user or the type of device being used. "Anomaly detection policy," is a type of policy that is used to detect anomalies in the activity of specific cloud apps or resources based on specified conditions, such as the number of times a resource is accessed or the type of activity that is being performed. Neither of these options is suitable for detecting connections to Microsoft 365 apps that originate from a botnet network.
There is no "Botnet Network Activity" pre-defined policy template default... and "This policy uses a combination of machine learning and threat intelligence to identify botnet network activity" sounds like Anomaly Detection Policy... Anomaly Detection Policy uses UEBA to conduct machine learning on user analytics to predict whether IP addresses are being conducted suspiciously or coming from a potential Botnet C&C. Source: https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy Now, the question strictly asks for a FILTER to be applied to "IP Addresses" Cloud Discovery Anomaly Detection Policies "Apply to" IP addresses or Users, they do not "Filter" for them...so due to the nature of the grammar of this question I would say Activity Policy, since they are more open to creating a CUSTOM policy based on a TEMPLATE and capable of applying a FILTER for IP addresses. But if you're asking which one is the 'technically' correct one now that UEBA is fleshed out in the Microsoft ecosystem, it is 100% Anomaly Detection Policy.
Question in Exam today
There is an exact filter type what is needed under the creation of "Activity policy": "Select a filter --> IP Address --> Select a filter --> Tag --> Select IP address tag --> Botnet" And there is no "Anomaly policy" after pushing the "Create policy" button so all the Anomaly Policies are built-in and not custom ones. Thus: Policy template type: Activity Policy Filter based on: IP address tag
On exam 2-11-2023
Looks like it is leaning more for 1) Activity Policy and 2) IP address tag. While I want to say Anomaly detection policy for the 1st answer, when I tested it in the lab, it came back with no templates under that category. While Activity Policy came back with a bunch related to logins from risky IP, potential ransomware activity, etc.
https://docs.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies
yes this link is helpful also this one https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy it is clear that the first response is "anomaly detection policy" but there is not "ip add tag" filter in it" there is "risky ip address" and such filters.
IP Address Tag is available in both Access and Activity policies. Check it out: https://security.microsoft.com/cloudapps/policy/activity/create https://security.microsoft.com/cloudapps/policy/access/create There are no customizable policies under "Anomaly Detection Policy" to narrow down just to Botnet IPs. The built-in Anomaly Detection Policy called "Activity from suspicious IP addresses" is not customizable.
So I physically tested and I found the filter only in activity policy template
Why are so many people saying Activity Policy? It's wrong. 'Anomaly detection policy' and 'IP address tag' *are* the correct answers. The question asks for a policy to detect connections from a Botnet related IP address, this is done using the 'Activity from suspicious IP addresses' anomaly detection policy. The list of available anomaly detection policies can be found here: https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
You can't filter on "Activity from suspicious IP addresses" that's the problem
Anomaly detection policy and Ip address Tag
Policy template type: Activity Policy Filter based on: IP address tag
correct
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy it is anomaly detection policy and the other "suspicious ip address" actually which is not here. but you can find the response in the link. " Activity from suspicious IP addresses: These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account... "
I'm really confused on this one For anomaly detections says "such as mis-tagged IP addresses" so it doesn't use IPs tagged as malicious, and the filter used according to scenario in filter can only be IP address tag. If we were to choose anomaly detections, the filter should be source, as it originates from a botnet. Activity from suspicious IP addresses This detection identifies that users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account. This detection uses a machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization. https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy