Cloud Discovery data anonymization
Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
Cloud Discovery data anonymization enables you to protect user privacy. Once the data log is uploaded to the Microsoft Defender for Cloud Apps portal, the log is sanitized and all username information is replaced with encrypted usernames. This way, all cloud activities are kept anonymous. When necessary, for a specific security investigation (for example, a security breach or suspicious user activity), admins can resolve the real username. If an admin has a reason to suspect a specific user, they can also look up the encrypted username of a known username, and then start investigating using the encrypted username. Each username conversion is audited in the portal's Governance log.
- No private information is stored or displayed. Only encrypted information.
- Private data is encrypted using AES-128 with a dedicated key per tenant.
- Resolving usernames is done ad-hoc, per-username by deciphering a given encrypted username.
- Anonymization capabilities aren't supported when using the "Defender for Cloud Apps Proxy" stream.
How data anonymization works
There are three ways to apply data anonymization:
You can set the data from a specific log file to be anonymized, by creating a new snapshot report and selecting Anonymize private information.
You can set the data from an automated upload for a new data source to be anonymized by selecting Anonymize private information when you add the new data source.
You can set the default in Defender for Cloud Apps to anonymize all data from both snapshot reports from uploaded log files and continuous reports from log collectors as follows:
Select Settings > Cloud Discovery settings.
In the Anonymization tab, to anonymize usernames by default, select Anonymize private information by default in new reports and data sources. You can also select Anonymize device information by default in 'Win10 Endpoint Users' report.
When anonymization is selected, Defender for Cloud Apps parses the traffic log and extracts specific data attributes.
Defender for Cloud Apps replaces the username with an encrypted username.
It then analyzes cloud usage data and generates Cloud Discovery reports based on the anonymized data.
For a specific investigation, such as an investigation of an anomalous usage alert, you can resolve the specific username in the portal and provide a business justification.
The following steps also work for device names on the Devices tab.
To resolve a single username
Select the three dots at the end of the row of the user you want to resolve and select Deanonymize user.
In the pop-up, enter the justification for resolving the username and then select Resolve. In the relevant row, the resolved username is displayed.
This action is audited.
The following alternative way to resolve single usernames can also be used to look up the encrypted username of a known username.
Under the Settings cog, select Cloud Discovery settings.
In the Anonymization tab, under Anonymize and resolve usernames enter a justification for why you're doing the resolution.
Under Enter username to resolve, select From anonymized and enter the anonymized username, or select To anonymized and enter the original username to resolve. Select Resolve.
To resolve multiple usernames
Either select the checkboxes that appear when you hover over the user icons by the users you want to resolve or, in the top-left, corner select the Bulk selection checkbox.
Select Deanonymize user.
In the pop-up, enter the justification for resolving the username and then select Resolve. In the relevant rows, the resolved usernames are displayed.
This action is audited.
The action is audited in the portal's Governance log.
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.