Forum Discussion

Felix87's avatar
Felix87
Copper Contributor
Feb 17, 2026

McasShadowItReporting / Cloud Discovery in Azure Sentinel

Hi!

I´m trying to Query the McasShadowItReporting Table, for Cloud App DISCOVERYs


The Table is empty at the moment, the connector is warning me that the Workspace is onboarded to Unified Security Operations Platform
So I cant activate it here

 

I cant mange it via https://security.microsoft.com/, too 

The Documentation ( https://learn.microsoft.com/en-us/defender-cloud-apps/siem-sentinel#integrating-with-microsoft-sentinel ) 

Leads me to the SIEM Integration, which is configured for (for a while) 

 


I wonder if something is misconfigured here and why there is no log ingress / how I can query them  

analytics
data collection
integration
Log Data
microsoft defender for cloud apps
monitoring
Reports
siem

1 Reply

  • Caleb_A_McDowell's avatar
    Caleb_A_McDowell
    Copper Contributor
    Feb 26, 2026

    This is a known pain point when your workspace gets onboarded to the Unified Security Operations Platform. The connector page in Sentinel grays out because management shifts over to the Defender portal. But the documentation doesn't make the next steps obvious.

    Here's what's likely going on and how to fix it.

    The McasShadowItReporting table gets its data from the Defender for Cloud Apps SIEM integration, not the standard Sentinel data connector. These are two separate things, and that's where most people get tripped up.

    To get Cloud Discovery logs flowing into Sentinel, you need to configure it from the Defender portal side:

    1. Go to Settings > Cloud Apps in the Microsoft Defender portal (security.microsoft.com)
    2. Under System, go to SIEM agents > Add SIEM agent > Sentinel
    3. In the wizard, make sure Discovery logs is toggled on
    4. Select which discovery streams you want forwarded (or leave it on all)
    5. Complete the wizard

    If you've already done this and the table is still empty, check these things:

    Is Cloud Discovery actually generating data? Go to Cloud Apps > Cloud Discovery > Dashboard in the Defender portal. If that dashboard is empty, the problem isn't the Sentinel integration. It's upstream. You need active discovery sources feeding data first, either through Defender for Endpoint integration, log collectors on your firewalls, or snapshot reports.

    Are your discovery streams selected? When you configured the SIEM integration, the "Apply to" dropdown controls which streams get sent to Sentinel. If none are selected, nothing flows.

    Give it time. Microsoft says new discovery logs can take up to 15 minutes to appear in Sentinel after configuration, but system conditions can stretch that out.

    One more thing to be aware of. Microsoft announced that the Defender for Cloud Apps SIEM agents are being deprecated starting November 2025. The Sentinel integration itself stays supported, but if you're using any legacy SIEM agent configs, you'll want to transition to the Microsoft Defender XDR Streaming API or the direct Sentinel integration.

    Reference docs:

    • https://learn.microsoft.com/defender-cloud-apps/siem-sentinel
    • https://learn.microsoft.com/azure/azure-monitor/reference/tables/mcasshadowitreporting

    Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.