We are pleased to share that we have expanded coverage of the CloudAppEvents table in advanced hunting to now include non-Microsoft cloud app activities monitored by Microsoft Defender for Cloud Apps. In addition, we have added new columns to the CloudAppEvents table like IsExternalUser, IsImpersonated, and more. Together, these enhancements can help you better hunt for threats in cloud app activities using advanced hunting in Microsoft 365 Defender.
Hunt for cloud app activities in non-Microsoft apps
Cloud apps can be a valuable entry point for attackers, so it is recommended to monitor anomalies and suspicious behaviors that use cloud apps. Previously, advanced hunting users could only look for threat activity in Microsoft applications like Exchange Online, SharePoint Online and Teams. If you wanted to look at cloud app activity by non-Microsoft apps, you would have to look in the activity log in the Microsoft Defender for Cloud Apps portal where you had limited querying and control abilities.
Now, in advanced hunting, you can also query cloud app activities related to Amazon Web Services, Google Workspace, Box, Dropbox, Slack, and more. For example, you can query GitHub to see if someone enabled private repository forking, which, if abused or used maliciously, allows easier exfiltration from the repo:
CloudAppEvents | where Application == "GitHub" and ActionType == "private_repository_forking.enable" | project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode | take 50
Or for example, in Amazon Web Services, you can find out what were the policy changes in Identity and Access Management (IAM) and which users or groups were changed in the policies:
CloudAppEvents | where Application == "Amazon Web Services" | where ActionType in~ ("AttachGroupPolicy", "AttachRolePolicy", "AttachUserPolicy", "CreatePolicy", "DeleteGroupPolicy", "DeletePolicy", "DeleteRolePolicy", "DeleteUserPolicy", "DetachGroupPolicy", "PutUserPolicy", "PutGroupPolicy", "CreatePolicyVersion", "DeletePolicyVersion", "DetachRolePolicy", "CreatePolicy") | project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode | take 100
Query using new CloudAppEvents data columns
In addition to including the non-Microsoft applications and to further support the ability to hunt for more scenarios like the recent Nobelium attack, we added more columns to the CloudAppEvents table that can help you look for threat activities more effectively:
AccountType – Type of the account identified by Microsoft Defender for Cloud Apps. For example, the column’s value is “Admin” if the user is an admin, and “Application” if the user is an OAuth app in the tenant.
IsExternalUser – The column’s value is 0 if the user is considered internal for the tenant or 1 if it’s external. A user is considered internal if the account is under one of the domains defined as internal domain in your Microsoft Defender for Cloud Apps tenant’s settings.
IPCategory – If the IP is categorized in your Microsoft Defender for Cloud Apps tenant’s IP address ranges, the category will appear in this column. IP categories in Microsoft Defender for Cloud Apps are Corporate, VPN, Cloud provider, Administrative, Risky, and Other. Aside from the preset categories, you can categorize your own IP addresses, with each IP belonging to one category at the most.
IPTags – If the IP has tags in your Microsoft Defender for Cloud Apps tenant’s IP address ranges, the tags will appear in this column. Aside from the preset tags, which may represent the ISP of the IP for some IPs, or the fact that an IP was used to perform brute-force attacks, you can tag your own IP addresses. Each IP can have multiple tags.
UserAgentTags – Microsoft Defender for Cloud Apps can identify and tag some of the user agents in a specific tag, for example “Native Client” for a non-human user agent that is native for the device, “Outdated browser” for a browser that is two versions or more older than the updated version, “Robot” for a user agent identified with a crawler, and “Outdated operating system.”
IsImpersonated – Identifies if the user who performed the activity was using roles granted as part of impersonation to a different user or system account, by the cmdlet “New-ManagementRoleAssignment.”
Here are a few more handy examples which make use of these fields:
To check if an activity was performed by an external admin:
CloudAppEvents | where IsExternalUser == 1 and AccountType == "Admin" | project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode, IsExternalUser, AccountType | take 50
Or simply to check which activities were preformed from a risky IP:
We hope these additional data points can help you in protecting your network from attackers that take advantage of cloud apps. As usual, we would love to hear your feedback, and you can share your feedback with us in the Microsoft 365 Defender portal or by emailing AHfeedback@microsoft.com.