cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Hunt across cloud app activities with Microsoft 365 Defender advanced hunting
By
Tali Ash
Published Nov 17 2020 12:53 AM 13.8K Views
Tali Ash
Microsoft
‎Nov 17 2020 12:53 AM

Hunt across cloud app activities with Microsoft 365 Defender advanced hunting

‎Nov 17 2020 12:53 AM

We’re thrilled to share that the new CloudAppEvents table is now available as a public preview in advanced hunting for Microsoft 365 Defender.

 

This new advanced hunting schema table contains activities monitored by Microsoft Cloud App Security (MCAS) involving the following services:

  • Microsoft Exchange Online
  • Microsoft Teams

 

In Microsoft 365 Defender advanced hunting, you can use Kusto Query Language (KQL) to proactively find threat activity involving these applications including setting inbox rules, mailbox permissions, and Teams channels updates.

 

This new table includes:

  • Precise location information in these columns:
    • CountryCode
    • City
  • UserAgent information from web browsers or other client applications
  • ActivityObjects column listing various objects involved in the recorded event, such as files or folders. This is identical to what is already displayed for each activity in Cloud App Security.
 

In early 2021, this table will also include activities involving the following O365 services:

  • OneDrive for Business
  • SharePoint Online

CloudAppEvents.png

 

Replacing the AppFileEvents table

 

The AppFileEvents table, which contains file activities from these applications, will stop getting populated with new data in early 2021. Activities involving these applications, including file activities, will be recorded in the new CloudAppEvents table. In addition to this change, SMB file copy activity (action type: SmbFileCopy) from Microsoft Defender for Identity currently stored in the AppFileEvents table will be moved to the IdentityDirectoryEvents.

 

If you have any saved queries, custom detection rules or queries running through the API, using the AppFileEvents table, please make sure to edit them to work with the CloudAppEvents table.

 

For example, here is a query that checks the AppFileEvents table:

 

AppFileEvents
| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"
| where FileName endswith ".xlsx"
| project Timestamp, ActionType, Application, FileName, FolderPath, AccountObjectId, AccountDisplayName, IPAddress, Location
| take 50

 

You can edit it to use the CloudAppEvents table like so:

 

CloudAppEvents
| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"
| where ObjectType == "File" and ObjectName endswith ".xlsx"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode
| take 50

 

Sample queries with CloudAppEvents

 

Here are some samples queries that might help you understand how to use this new table:

 

//Activities from a specific app
CloudAppEvents
| where Application == "Microsoft SharePoint Online"
| take 100

 

//Activities made by a specific user, the user is the "actor"
let user = "<user name>" ;
CloudAppEvents
| where AccountDisplayName == user
| take 100

 

//Activities involving a specific user, the user is with any role, not "actor" only
let user = "<user name>" ;
CloudAppEvents
| where ActivityObjects has user
| take 100

 

//Activities on a specific file
let fileName = "<file name>";
CloudAppEvents
| where ObjectType == and ObjectName == fileName
| take 100

 

//Activities from specific IP address
CloudAppEvents
| where IPAddress == "<IP>"
| take 100

 

//Activities from a specific user agent
CloudAppEvents
| where UserAgent == "<user agent>"
| take 100

 

As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or contact us at AHfeedback@microsoft.com

 

Stay safe and happy hunting! 

 

5 Comments
GeraldKSmith
Microsoft
‎Nov 17 2020 08:10 AM
‎Nov 17 2020 08:10 AM

Great Addition here! Thanks so much for adding great to see MCAS integrations with Advanced hunting.

 

Faith755
Copper Contributor
‎Jan 12 2021 09:02 PM
‎Jan 12 2021 09:02 PM

Hi Tash,

 

I just found out the CloudAppEvents feature but I can't seem to get any data on it, it appears blank. What do you think might be the issu?

0 Likes
Like
king-02
Copper Contributor
‎Dec 05 2022 12:56 AM
‎Dec 05 2022 12:56 AM

Heyy, 
Can somone help as I am not able to see the CloudAppEvents schema table in my microsoft defender E5 trial instance?

0 Likes
Like
gadgetz
Copper Contributor
‎Feb 03 2023 09:47 PM
‎Feb 03 2023 09:47 PM

@king-02 Are you in GCC cloud, GCC high, or Commercial Cloud? There is usually a long delay between when tables are available in the commercial cloud vs. government clouds.  I've been sitting here tonight analyzing which tables are available in which clouds because I often come across queries that don't work and have to come up with workarounds. For example, I operate in GCC and I don't have the tables for CloudAppEvents, despite using the requisite features in our tenant. I do have CloudAppEvents, but I didn't always have it. I'm going to check with my Microsoft representatives or open a support ticket to find out more. However, if it's unreleased they generally won't provide a release date. 

 

Also do you have preview features enabled in Settings of MDE? Settings > Endpoints > Advanced features > Preview features

This hasn't helped resolve it for me, but it might help you depending on your tenant. 

0 Likes
Like
gadgetz
Copper Contributor
‎Feb 03 2023 10:40 PM
‎Feb 03 2023 10:40 PM

GCC Schema


Alerts
------
AlertInfo (replaces DeviceAlertEvents)
- (AlertID, TimeStamp, Severity, Category, Title, AttackTechniques)
AlertEvidence
- (AlertID, TimeStamp, DeviceID, DeviceName, FileName, SHA1, RemoteUrl, RemoteIP, ReportId, Table)


Apps & identities
-----------------
IdentityInfo
IdentityLogonEvents
IdentityQueryEvents
IdentityDirectoryEvents
CloudAppEvents (replaces AppFileEvents)


Email & collaboration
---------------------
EmailEvents
EmailAttachmentInfo
EmailUrlInfo
EmailPostDeliveryEvents


Devices
-------
DeviceInfo
DeviceNetworkInfo
DeviceProcessEvents
DeviceNetworkEvents
DeviceFileEvents
DeviceRegistryEvents
DeviceLogonEvents
DeviceImageLoadEvents
DeviceEvents
DeviceFileCertificateInfo

Threat & Vulnerability Management
---------------------------------
DeviceTvmSoftwareVulnerabilities (replaces DeviceTvmSoftwareInventoryVulnerabilities)
DeviceTvmSoftwareVulnerabilitiesKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmConfigurationAssessmentKB
DeviceTvmSoftwareInventory (replaces DeviceTvmSoftwareInventoryVulnerabilities)
DeviceTvmInfoGathering
DeviceTvmInfoGatheringKB
DeviceTvmSoftwareEvidenceBeta


Missing tables
--------------
UrlClickEvents
AppFileEvents (deprecated)
AADSignInEventsBeta
AADSpnSignInEventsBeta
DeviceAlertEvents (deprecated)
DeviceTvmSoftwareInventoryVulnerabilities (deprecated)

0 Likes
Like
Version history
Last update:
‎Nov 18 2020 10:47 PM
Updated by: