I want to know the policy of Microsoft Defender for Cloud App

Koonnamchok Klongkaew 140 Reputation points

I want to know if the policy of Microsoft Defender for Cloud App 'Ransomware activity,' includes the condition of detecting the file named 'HELP_DECRYPT.URL' as a normal file but still triggers an alert.


Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
926 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
88 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 13,491 Reputation points Microsoft Employee

    @Koonnamchok Klongkaew

    Thank you for posting your query in Microsoft Q&A.

    There is a default policy template using which you can track "Potential ransomware activities".

    This policy is used to generates an alert when a user uploads files to the cloud that might be infected with ransomware.

    There are some default extensions defined in the policy as below,

    User's image

    You can add new extensions as well.

    You can refer below article for this.


    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful