Microsoft Defender for Cloud Apps operational guide

This section of the Microsoft Defender for Cloud Apps documentation helps security operations (SOC) teams and security administrators to plan and run regular security activities with Microsoft Defender for Cloud Apps.

Prerequisites

The activities in this article assume that you deployed Defender for Cloud Apps. For more information, see Basic setup for Defender for Cloud Apps and the Defender for Cloud Apps Ninja training.

Activity reference

The following table lists activities that we recommend you perform regularly with Defender for Cloud Apps:

Frequency	Activities
Daily	- Review alerts and incidents - Review threat detection data - Review application governance - Review Conditional Access app control - Review shadow IT - cloud discovery - Review the cloud discovery dashboard - Review information protection
Weekly	- Review SaaS security posture management - Check app connectors, log collectors, and SIEM agent health - Track new changes in Microsoft Defender XDR - Review the governance log
Monthly	- Review policy assessments - Review activity logs
Ad-hoc	- Review Microsoft service health - Run advanced hunting queries - Review file quarantines - Review app risk scores - Delete cloud discovery data - Generate a cloud discovery executive report - Generate a cloud discovery snapshot report

Related content

• Integrating Microsoft Defender XDR into your security operations
• Microsoft Defender for Office 365 Security Operations Guide
• Microsoft Entra security operations guide