Forum Discussion
Brok3NSpear
Mar 06, 2024Brass Contributor
Create a Policy Alert for any Upload Seen to Gmail
Hi, I would like to create a policy in MCAS so that any upload that is seen to Gmail immediately raises an alert. We have Gmail tagged as Unsanctioned and blocked to all users but I can also ...
Keith_Fleming
Microsoft
Mar 06, 2024Brok3NSpear this is actually the expected behavior. When you look at discovery policies, these are regarding data coming from endpoints or appliances.
Activities are based on the data coming from app connectors.
In this case it sounds like what you would like to see is a way to get the audit activities from apps that aren't connected or that are just being accessed via the browser?
Brok3NSpear
Mar 12, 2024Brass Contributor
Keith_Fleming wrote:Brok3NSpear this is actually the expected behavior. When you look at discovery policies, these are regarding data coming from endpoints or appliances.
Activities are based on the data coming from app connectors.
In this case it sounds like what you would like to see is a way to get the audit activities from apps that aren't connected or that are just being accessed via the browser?
Correct, is there an audit process available for this that I can use? I have been trying to find a way to do this via KQL, but no joy from my limited use of KQL.
Apologies for the late response as well.