Ad-hoc operational guide - Microsoft Defender for Cloud Apps

This article lists monthly operational activities that we recommend you perform with Microsoft Defender for Cloud Apps.

Monthly activities can be performed more frequently or as needed, depending on your environment and needs.

Review Microsoft service health

Where: Check the following locations:

If you're experiencing issues with a cloud service, we recommend checking service health updates to determine whether it's a known issue, with a resolution in progress, before you call support or spend time troubleshooting.

Run advanced hunting queries

Where: In the Microsoft Defender XDR Portal, select Hunting > Advanced hunting and query for Defender for Cloud Apps data.

Persona: SOC analysts

Similar to reviewing activity logs, advanced hunting can be used as a scheduled activity, using custom detections or ad-hoc queries to proactively hunt for threats.

Advanced hunting is a unified tool that allows you to hunt for threats across Microsoft Defender XDR. We recommend that you save frequently used queries for faster manual threat hunting and remediation.

The following sample queries are useful when querying for Defender for Cloud Apps data:

Search for Office - FileDownloaded Events records

CloudAppEvents
| where ActionType == "FileDownloaded"
| extend FileName = RawEventData.SourceFileName, Site = RawEventData.SiteUrl, FileLabel = RawEventData.SensitivityLabelId, SiteLabel = RawEventData.SiteSensitivityLabelId
| project Timestamp,AccountObjectId,ActionType,Application,FileName,Site,FileLabel,SiteLabel

Search for Office - MailItemsAccessed Details records

CloudAppEvents
| where ActionType == "MailItemsAccessed" //Defines the action type we want to filter on 16
| extend Folders = RawEventData.Folders[0] //Set variable and then use the index to trim the [] to data can be accessed
| extend MailboxPath = Folders.Path //set a variable for the path
| mv-expand Folders.FolderItems //expand the list of items because some entries might contain multiple items which were accessed
| extend MessageIDs = tostring(Folders_FolderItems.InternetMessageId) //extend and then convert to string so table can be joined
| join EmailEvents on $left.MessageIDs == $right.InternetMessageId //join the email events table to access subject and mailbox information
| project Timestamp,AccountType,AccountDisplayName,AccountObjectId,UserAgent,IPAddress,CountryCode,City,ISP,NetworkMessageId,MailboxPath,Subject,SenderFromAddress,RecipientEmailAddress
| sort by Timestamp desc

Search for Extract activity objects records

CloudAppEvents
| take 100
| mv-expand(ActivityObjects)
| evaluate bag_unpack(ActivityObjects)

Search for Microsoft Entra ID - Add to Role records

CloudAppEvents
| where ActionType in ("Add member to role.") 
| extend FirstElement = ActivityObjects[0], SecondElement = ActivityObjects[1], ThirdElement = ActivityObjects[2]
| extend Type = FirstElement.ServiceObjectType, RoleName = FirstElement.Name,  UserAddedName = SecondElement.Name, UserAddedId = SecondElement.Id
| project Timestamp,Type,ActionType,RoleName,UserAddedName,UserAddedId,AccountId,Account DisplayName

Search for Microsoft Entra ID - Group Adds records

CloudAppEvents
| where ActionType in ("Add member to group.") and AccountType == "Regular"
| extend SecondElement = RawEventData.ModifiedProperties[1]
| extend UserAddedId = RawEventData.ObjectId, GroupName = 
SecondElement.NewValue
| project Timestamp, ActionType,UserAddedId,PerformedBy = 
AccountDisplayName,GroupName

Review file quarantines

Where: In the Microsoft Defender XDR Portal, select Cloud apps > Files. Query for items where Quarantined = True.

Persona: Compliance administrators

Use Defender for Cloud Apps to detect unwanted files that are stored in your cloud and leave you vulnerable. Take immediate action to stop them in their tracks by using the Admin quarantine to lock down the files that pose a threat. Admin quarantine can help you protect files in the cloud, remediate problems, and prevent future leaks from occurring.

Files in Admin quarantine might be reviewed as part of an alert investigation, and you might be required to manage quarantined files for governance and compliance reasons.

For more information, see Understand how quarantine works.

Review app risk scores

Where: In the Microsoft Defender XDR Portal, select Cloud apps > Cloud app catalog.

Persona: Compliance administrators

The cloud app catalog rates risk for your cloud apps based on regulatory certification, industry standards, and best practices. We recommend reviewing the score for each of the apps in your environment to make sure it aligns with your company regulations.

After checking an app's risk score, you might want to submit a request to change the score, or customize the risk score in Cloud Discovery > Score metrics.

For more information, see Find your cloud app and calculate risk scores.

Delete cloud discovery data

Where: In the Microsoft Defender XDR Portal, select Settings > Cloud apps > Cloud Discovery > Delete Data.

Persona: Compliance administrators

We recommend deleting cloud discovery data in the following scenarios:

  • If you have older, manually uploaded log files and you don't want old data affecting your results.
  • When you want a new custom data view to include events in all log file data, including older files. Custom data views only apply to new data available from that point onward, so we recommend deleting any old data and uploading it again to include it in custom data views.
  • When many users or IP addresses started working again after being offline for some time, delete old data to prevent the new activity from being identified as anomalous, with false positive violations.

For more information, see Deleting cloud discovery data.

Generate a cloud discovery executive report

Where: In the Microsoft Defender XDR Portal, select Cloud apps > Cloud discovery > Dashboard > Actions

Persona: Compliance administrators

We recommend using a cloud discovery executive report to get an overview of Shadow IT used across your organization. cloud discovery executive reports identify the top potential risks and help you plan a workflow to mitigate and manage risks until they're resolved.

For more information, see Generate cloud discovery executive report.

Generate a cloud discovery snapshot report

Where: In the Microsoft Defender XDR Portal, select Cloud apps > Cloud discovery > Dashboard > Actions

Persona: Security and Compliance administrators

If you don't have a log yet and want to see a sample of what one might look like, download a sample log file.

For more information, see Create snapshot cloud discovery reports.

Microsoft Defender for Cloud Apps operational guide