Microsoft Cloud App Security Anomaly Detection Policies


Microsoft Defender for Cloud Apps provides best-in-class detections for compromised users, insider threats, exfiltration, ransomware, and other threats throughout the attack kill chain. To provide a comprehensive view of how the users use apps in your environment, MCAS will combine multiple detection methods, including anomaly, behavioral analytics (UEBA), and rule-based activity detections.

Defender for Cloud Apps analyses data from multiple sources to extract app and user actions in the organization, offering security analysts visibility into cloud usage. To give an accurate and consistent perspective of suspicious behaviors, the collected data is connected, normalized, and enriched with threat intelligence, location, and many other details.

Also Read: Microsoft Defender for Cloud App Security

To benefit from these detections, we need to configure the following sources:

  • Activity log: Activities from your API connected apps.
  • Discovery log: Activities extracted from firewall and proxy traffic logs that are forwarded to Defender for Cloud Apps. The logs are analyzed against the cloud app catalog, ranked, and scored based on more than 80 risk factors.
  • Proxy log: Activities from your Conditional Access App Control apps.

Anomaly threat detection:

Anomalies are detected by scanning user activity. The risk is evaluated by looking at over 30 different risk indicators, grouped into risk factors, as follows:

  • Risky IP address
  • Login failures
  • Admin activity
  • Inactive accounts
  • Location
  • Impossible travel
  • Device and user agent
  • Activity rate

Security alerts are triggered based on the policy results. Defender for Cloud Apps monitors every user session on your cloud and notifies you when something occurs that differs from your organization’s baseline or the user’s normal activities. You’ll get the following detection alerts based on information obtained from Azure Active Directory (AD) Identity Protection in addition to native Defender for Cloud Apps alerts:

  • Leaked credentials:When a user’s valid credentials are disclosed, this event is triggered. Check Azure AD’s Leaked Credentials Detection for additional information.
  • Risky sign-in: Combines several Azure AD Identity Protection sign-in detections into a single detection. Check Azure AD’s Sign-in risk detectionsfor additional details.

Anomaly Detection policies/MCAS inbuilt alert rule:

Below are the following policies for detecting anomalies in MCAS. We will get an alert based on it.

1-Impossible travel:

  • This detection detects two user activities (in a single or multiple sessions) originating from geographically distant locations in a time shorter than the time it would take the user to travel from the first to the second, indicating that the same credentials are being used by a different user.
  • This detection uses a machine-learning system that filters out obvious “false positives” that contribute to the impossibility of travel, such as VPNs and places often utilised by other employees.
  • The detection goes through a seven-day learning process during which it learns a new user’s activity pattern. Unusual and impossible user activity between two sites is detected by the impossible travel detection. The behaviour should be exceptional enough to be seen as a sign of compromise andworthy of an alert
  • To make this work, the detection algorithm incorporates several levels of suppression to address instances that can cause false positives, such as VPN activity or cloud provider activity that doesn’t represent a physical location.

Also Read: Azure Sentinel for IT Security and its SIEM Architecture

2-Activity from infrequent country:

This detection considers previous activity locations to determine new and infrequent locations. The anomaly detection engine keeps track of where users in the company have been in the past. When an activity occurs from a location that hasn’t been visited by any user in the organization recently or at all, an alert is triggered.

3-Malware Detection:

  • This detection detects malicious files in your cloud storage, regardless of whether they came from Microsoft or third-party applications. Microsoft Defender for Cloud Apps analyses Microsoft’s threat data to see if specific files are linked to known malware attacks and hence possibly malicious.
  • By default, this built-in policy is turned off. Files that our heuristics identify as potentially dangerous will also be scanned in a sandbox.
  • Following the detection of malicious files, you will see a list of Infected files. To access a malware report, click the name of the malware file in the file drawer. The report will tell you what type of malware is infected with the file.
  • Session policies can be used to control file uploads and downloads in real time using this detection.
  • The following apps are supported by Defender for Cloud Apps for malware detection:
    • Box
    • Dropbox
    • Google Workspace
    • Office 365 (requires a valid license for Microsoft Defender for Office 365 P1)
  • Malware found in Office 365 apps is promptly blocked, and the user is unable to access the file. The app’s administrator is the only one who has access.

Also Read: FireEye’s Open-Source Tool – CAPA to Identify Malware Capabilities

  • Defender for Cloud Apps does not block the file in Box, Dropbox, or Google Workspace, although blocking can be done depending on the app’s capabilities and the customer’s configuration.

4-Activity from anonymous IP addresses:

This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. These proxies are commonly used by users who want to mask their device’s IP address, but they can also be used maliciously. This detection employs a machine-learning technique that minimizes “false positives,” such as mistagged IP addresses that are commonly used by employees.

5-Ransomware activity:

  • Defender for Cloud Apps adds anomaly detection to its ransomware detection capabilities to provide more complete protection against complex Ransomware attacks.
  • Defender for Cloud Apps guarantees complete and strong protection by leveraging our security research knowledge to recognise behavioural patterns that indicate ransomware activity.
  • If Defender for Cloud Apps detects a high rate of file uploads or file deletions, it could indicate an unsuitable encryption process. This information is gathered via connected API logs and integrated with previously learned behavioural patterns and threat intelligence, such as known ransomware extensions.

Also Read: Process Hacker- Tool that helps analyst to debug software and detect malware.

6-Activity from suspicious IP addresses:

  • This detection finds people who were active from an IP address that Microsoft Threat Intelligence had flagged as potentially dangerous. These IP addresses have been linked to malicious activity like password spraying and Botnet C&C, and could indicate a compromised account.
  • This detection employs a machine-learning technique that minimizes “false positives,” such as mis-tagged IP addresses that are commonly used by employees.

7-Activity performed by terminated user:

The detector looks for users whose Azure AD accounts have been terminated but who continue to use other platforms such as AWS or Salesforce. This is especially important for users who handle resources using a different account (not their primary single sign-on account), as these accounts are frequently not terminated when a user leaves the firm.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

8-Suspicious inbox forwarding:

  • This detection checks for suspicious email forwarding rules, such as an inbox rule that sends a copy of all emails to an external address.
  • Defender for Cloud Apps only notifies you if a forwarding rule is flagged as suspicious based on the user’s usual behaviour.

9-Suspicious inbox manipulation rules:

When suspicious rules that delete or transfer messages or folders are established on a user’s inbox, this detector profiles your environment and throws out alerts. This could mean the user’s account has been hacked, messages have been hidden on purpose, or the mailbox is being used to spread spam or malware within your company.

10-Suspicious email deletion activity:

  • This policy creates a profile of your environment and sends out alerts when a user deletes suspicious emails in a single session. This policy may suggest that potential attack vectors such as command-and-control communication (C&C/C2) over email may have penetrated a user’s mailboxes.
  • Defender for Cloud Apps works with Microsoft Defender for Office 365 to provide Exchange online protection, including URL detonation, malware prevention, and more. You’ll start receiving alerts in the Defender for Cloud Apps activity log once Defender for Office 365 is enabled.

Also Read: Apache Log4j Vulnerability – Detection and Mitigation

11-Multiple delete VM activities:

This policy creates a profile of your environment and sends out alerts when users delete multiple VMs in a single session in comparison to the organization’s baseline. This could indicate a breach attempt.

12-Data exfiltration to unsanctioned apps:

When a user or IP address uses an app that isn’t sanctioned to perform an activity that resembles an attempt to exfiltrate information from your company, this policy is immediately enabled to alert you.

13-Multiple failed login attempts:

This detection finds users that failed many login attempts in a single session in comparison to the learned baseline, which could indicate a breach attempt.

14-Suspicious OAuth app file download activities:

Scans the OAuth apps in your environment and provides you an alert if one of them downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in an unexpected way for the user. This could mean that the user’s account has been hacked.

15-Unusual ISP for an OAuth App:

When an OAuth app connects to the cloud applications from an unusual ISP, this policy profiles the environment and throws out alerts. This policy may indicate that an attacker attempted to undertake malicious activities on the cloud applications using a genuine compromised app.

16-Unusual activities by user:

These policies check for activities that differ from the baseline learned within a single session, which could indicate a breach attempt. These detections are based on a machine-learning system that analyses a user’s log-on pattern and minimizes false positives. These alerts are triggered by the heuristic anomaly detection engine, which profiles the environment and compares it to a baseline learned from the company’s activity.

Also Read: Latest Cyber Security News – Hacker News !

Users who do the following actions are identified by these detections:

  • Unusual multiple file download activities
  • Unusual file share activities
  • Unusual file deletion activities
  • Unusual impersonated activities
  • Unusual administrative activities
  • Unusual Power BI report sharing activities
  • Unusual multiple VM creation activities
  • Unusual multiple storage deletion activities
  • Unusual region for cloud resource
  • Unusual file access


The above mentioned are the basic alert rules and the alerts will be triggered based on them. In the next blog, we will be covering the console overview of MCAS.

Previous articleNgrok Threat Hunting: Detect Hackers at the End of the Tunnel
Next articleGoogle SMTP Relay Abused to Deliver Phishing Emails
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here