Introduction
Typically, an organization’s online email, cloud storage, and virtualized IT are stored in the cloud to reduce infrastructure setup time, cost, and management overhead. This cloud data may be sensitive, and vulnerable to the threats or configuration errors that threat actors can take advantage of.
Overview of Cloud Monitoring
While some cloud service partners offer basic alerting and protection, our service focuses exclusively on security and provides integrated leading-edge capabilities across all your services and network assets. Field Effect uses data, logs, and APIs to identify threats affecting your service, administrative components, user accounts, and more.
Setup is as easy as a few clicks and requires no software or hardware installation. Once cloud monitoring is enabled for a cloud service, Field Effect uses machine learning, and other sophisticated analytics, to provide a continuously tailored analysis of your network’s user and service data to identify threats.
If a threat is discovered, the following AROs are available for cloud monitoring:
- Suspicious Login Events
- Suspicious user behavior
- Access control list modifications
- Authentication over TOR
- Use of MFA backup codes / Failing MFA
- Brute forcing attempts
- Brute forcing success
- Log of devices used per user
- Document loss detection
- Data loss Prevention
- Alert on Dormant users activity
- Large # of file downloads
- New/Suspicious Inbox Rule creation
- Authentication via legacy protocols
- Malware detection on Sharepoint
- IP address user id mapping
- Users logins in from multiple locations simultaneously
- Suspicious login locations (Geo/Tor/VPN)
- Impossible/Improbable Travel events
- Access via Untrustworthy ISPs
- Modifications to Document Visibility
- Office 365 suspicious link click notifications
Cloud Monitoring Capabilities
Cloud Analytic Categories
Field Effect collects and processes cloud-service telemetry data and applies User and Entity Behavior Analytics (UEBA) to identify anomalies that could indicate an account breach. It can also identify potential data loss.
| Risk Type | Monitoring |
|---|---|
| Account Risk | Account Access, use of Multi-Factor Authentication (MFA) |
| Insecure Configuration (legacy authentication protocols, exposed services running on virtual servers.) | |
| Threat Detection | Potential Credential Compromise |
| Unexpected or suspicious access to an account. | |
| Patterns of failed MFA attempts. | |
| Reputation of origin (TOR, VPN, ISP). | |
| Anomalous access location (IP-Geo-location, distance). | |
| Use of MFA or backup codes. | |
| Brute force attacks, password spray monitoring. | |
| Concurrent use of an account. | |
| Suspicious Account Activity | Logins from unexpected devices. |
| Logins from unexpected locations. | |
| Activity from a dormant account. | |
| Unexpected authentications using legacy protocols. | |
| Modifications to the access control list. | |
| Data Loss | Anomalous file download quantities. |
| Anomalous file deletion quantities. | |
| Abnormal patterns of data transfers (endpoint, network, and cloud-based). | |
| File sharing visibility changes (externally accessible) | |
| Email Activity Monitoring | Suspicious inbox rule creations. |
| Phishing attempts, via partner logs. | |
| Insecure Configuration | Legacy authentication protocol used from an anomalous location. |
| Cloud Storage Monitoring | Malware and malicious file detection. |
| Document visibility changes. |
Cloud Monitoring Techniques
Field Effect monitors cloud environments through data that can be extracted via the cloud partner’s API. This data includes:
- Audit and event log analysis:
- Storage
- Authentication
- Security logs
- Cloud Partner Security Logs – Including Microsoft Defender for Cloud (Azure).
- User, account, and group information.
Conditional Access (Active Response)
Our cloud Active Response actions to allow for the blocking of accounts using conditional access policies. With this, when an M365 account is locked due to a security threat, this conditional access policy is also put in place which restricts access to any resources from that account, ensuring that the compromise is contained.
Integrating a Cloud Service for Monitoring
From the Integrations page (Administration section), click Add for the cloud service you want to monitor and authenticate by providing Field Effect with administrator credentials.
The setup process may differ slightly from service to service. For instructions on each integration, visit our knowledge base chapter on Cloud Monitoring and Integrations.
Troubleshooting Cloud Services
On occasion, there may be a short delay between when the service is enrolled, and when it becomes active. In rare cases, an error may occur with a cloud account that requires your attention. When this occurs, the card for that account will display a message that the enrollment is pending, or one of the following:
- Issue: “User is not an administrator, and therefore cannot access the audit logs.”
- Resolution: unenroll the service and re-enroll using administrator credentials.
- Issue: “Audit logging has not been enabled on the cloud domain.”
- Resolution: you’ll need to enable audit logging within that cloud service. See Integrations for more.
- Issue: “The client’s service plan level with their cloud partner does not include audit logging.”
- Resolution: you may need to upgrade your cloud service to a plan that allows for audit logging.
- Issue: “The account used for signup purposes no longer has access to the audit logs, likely because it was disabled or removed. In the case of AWS, a special role needs to be added to the account to pull audit logs, which will result in this error if the role is not present.”
- Resolution: see Configuring AWS for Field Effect Monitoring.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article