Cloud discovery data anonymization

Cloud discovery data anonymization enables you to protect user privacy. Once the data log is uploaded to the Microsoft Defender for Cloud Apps portal, the log is sanitized and all username information is replaced with encrypted usernames. This way, all cloud activities are kept anonymous. When necessary, for a specific security investigation (for example, a security breach or suspicious user activity), admins can resolve the real username. If an admin has a reason to suspect a specific user, they can also look up the encrypted username of a known username, and then start investigating using the encrypted username. Each username conversion is audited in the portal's Governance log.

Key points:

  • No private information is stored or displayed. Only encrypted information.
  • Private data is encrypted using AES-128 with a dedicated key per tenant.
  • Resolving usernames is done ad-hoc, per-username by deciphering a given encrypted username.
  • Anonymization capabilities aren't supported when using the "Defender for Cloud Apps Proxy" stream.

How data anonymization works

  1. There are three ways to apply data anonymization:

    • You can set the data from a specific log file to be anonymized, by creating a new snapshot report and selecting Anonymize private information.
      Anonymize snapshot data.

    • You can set the data from an automated upload for a new data source to be anonymized by selecting Anonymize private information when you add the new data source.
      Anonymize log data.

    • You can set the default in Defender for Cloud Apps to anonymize all data from both snapshot reports from uploaded log files and continuous reports from log collectors as follows:

      1. In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps.

      2. Under Cloud Discovery, select Anonymization. To anonymize usernames by default, select Anonymize private information by default in new reports and data sources. You can also select Anonymize device information by default in 'Defender-managed endpoints' report.

  2. When anonymization is selected, Defender for Cloud Apps parses the traffic log and extracts specific data attributes.

  3. Defender for Cloud Apps replaces the username with an encrypted username.

  4. It then analyzes cloud usage data and generates cloud discovery reports based on the anonymized data.

    Anonymize cloud discovery dashboard.

  5. For a specific investigation, such as an investigation of an anomalous usage alert, you can resolve the specific username in the portal and provide a business justification.

    Note

    The following steps also work for device names on the Devices tab.

    To resolve a single username:

    1. Select the three dots at the end of the row of the user you want to resolve and select Deanonymize user.

      Anonymize user table.

    2. In the pop-up, enter the justification for resolving the username and then select Resolve. In the relevant row, the resolved username is displayed.

      Note

      This action is audited.

      Anonymize resolve pop-up.

    The following alternative way to resolve single usernames can also be used to look up the encrypted username of a known username.

    1. In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps.

    2. Under Cloud Discovery, select Anonymization. Then, under Anonymize and resolve usernames enter a justification for why you're doing the resolution.

    3. Under Enter username to resolve, select From anonymized and enter the anonymized username, or select To anonymized and enter the original username to resolve. Select Resolve.

      Resolve anonymization pop-up.

    To resolve multiple usernames:

    1. Either select the checkboxes that appear when you hover over the user icons by the users you want to resolve or, in the top-left, corner select the Bulk selection checkbox.

      Anonymize bulk resolve.

    2. Select Deanonymize user.

    3. In the pop-up, enter the justification for resolving the username and then select Resolve. In the relevant rows, the resolved usernames are displayed.

      Note

      This action is audited.

      Anonymize resolve pop-up.

  6. The action is audited in the portal's Governance log.

    Anonymization action in governance log.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.