This article is contributed. See the original author and article here.
By Erin Boris, Idan Basre and Yoann Mallet
One of the latest app connectors to be added to Microsoft Defender for Cloud Apps is for Smartsheet.
As we have in the past for other protected apps, we would like to share a few examples of how to use it to secure your Smartsheet deployment.
Why Connect Smartsheet?
As with other apps, connecting Smartsheet to Defender for Cloud Apps allows you to leverage some of the built-in features of your favorite CASB, such as:
Policy or template
Threat and Anomaly Detection
Detect cloud threats, compromised accounts, and malicious insiders
The following built-in Threat detection policies automatically apply when Defender for Cloud Apps is connected to Smartsheet:
Audit, investigation, and hunting
Use the audit trail of activities for forensic investigations
Leverage Advanced Hunting Queries as part of the Microsoft 365 Defender Portal to audit the use of Smartsheet and create policies
How to connect Smartsheet?
Let’s start with connecting Smartsheet.
Detailed instructions are available here, and if you prefer our video, check it out below:
Leverage Microsoft Defender for Cloud Apps with Smartsheet
The best way to get quick value from Defender for Cloud Apps when protecting Smartsheet, is to use the Advanced Hunting feature in the Microsoft 365 Defender portal.
If you have not used that portal just yet, simply visit http://security.microsoft.com and you will be redirected to it.
Once there browse to advanced hunting. This will enable you to write your own KQL queries to gather relevant information from the Defender for Cloud Apps activity logs.
Here are two relevant examples:
Scenario 1: New user invited, has an external email address
Having a new user invited to Smartsheet with an external email address may be suspicious. In order to detect this, you can leverage the following KQL Query:
CloudAppEvents | where Application == "Smartsheet" |extend a=parse_json(RawEventData).additionalDetails |extend email=a.emailAddress | where ActionType == "User Accept Invite" and email !contains "contoso.com" | project Timestamp,Application, AccountDisplayName, ActionType,email
Below is an example of the result of that query in Advanced Hunting:
This can potentially help you detect any attempt to exfiltrate data or identify a malicious user enabling an external account.
Another option to view all accounts with external email addresses that currently have access to Smartsheet, is from the API connector properties in Defender for Cloud Apps.
A filter can be used to see all external accounts that have accepted an invitation.
Scenario 2: File sent as attachment to external email address
When files are sent as an attachment from Smartsheet directly, to an external email address, this can be a sign of data exfiltration.
In order to identify such activities, you can leverage the following KQL Query:
CloudAppEvents | where Application == "Smartsheet" |extend a=parse_json(RawEventData).additionalDetails |extend Recipient=a.recipientEmail | where ActionType =="Sheet Send As Attachment" and Recipient !contains "contoso.com" | project Timestamp,Application, AccountDisplayName, ActionType,Recipient
Creating alerts from these queries
In addition to detecting these actions, Microsoft 365 Defender also allows you to create your own custom detections, and identify when these occur in near real-time, as described here.
As you can imagine, when using such powerful queries, the sky is the limit! Feel free to share any relevant KQL query you have identified for Smartsheet in the comments below.
For more information about the features discussed in this article, please read:
- Advanced hunting overview
- Advanced hunting best practices
- Cloud App Security anomaly detection alerts investigation guide
- Microsoft 365 Defender Github
We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing CASFeedback@microsoft.com and mentioning the area or pillar in Cloud App Security you wish to discuss.
For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:
Join the conversation on Tech Community.
Stay up to date—subscribe to our blog.
Learn more—download Top 20 use cases for CASB.
Connect your cloud apps to detect suspicious user activity and exposed sensitive data.
Search documentation on Microsoft Cloud App Security.
Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment.
Understand your licensing options.
Continue with more advanced use cases across information protection, compliance, and more.
Go deeper with these interactive guides:
· Discover and manage cloud app usage with Microsoft Cloud App Security
· Protect and control information with Microsoft Cloud App Security
· Detect threats and manage alerts with Microsoft Cloud App Security
· Automate alerts management with Microsoft Power Automate and Cloud App Security
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.