Cloud Discovery | Total amount of traffic

%3CLINGO-SUB%20id%3D%22lingo-sub-964335%22%20slang%3D%22en-US%22%3ECloud%20Discovery%20%7C%20Total%20amount%20of%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-964335%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20community%20members%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe're%20using%20Microsoft%20Defender%20ATP%20to%20collect%20machine%20data%20in%20the%20Cloud%20Discovery%20dashboard%20of%20Microsoft%20Cloud%20App%20Security.%20Does%20anyone%20know%20how%20accurate%20the%20upload%20traffic%20is%20within%20the%20discovered%20apps%20overview%3F%20Below%20some%20details%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20User%20uploads%202%20files%20to%20WeTransfer%20on%20endpoint%20level%2C%20which%20is%20onboarded%20into%20MDATP%3B%3C%2FP%3E%3CP%3E-%20User%20is%20not%20behind%20a%20proxy%3B%3C%2FP%3E%3CP%3E-%20Last%20data%20received%20field%20from%20MDATP%20is%20updated%3B%3C%2FP%3E%3CP%3E-%20Cloud%20Discovery%20doesn't%20show%20any%20upload%20traffic%20and%20no%20updates%20in%20the%20WeTransfer%20statistics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151825i05C198B683DE3F86%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MCAS03.png%22%20title%3D%22MCAS03.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI'm%20very%20curious%20how%20this%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EBram%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-964335%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-977420%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20Discovery%20%7C%20Total%20amount%20of%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977420%22%20slang%3D%22en-US%22%3EHi%20Bram%2C%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20have%20any%20details%20about%20the%20size%20of%20the%20files%20that%20were%20uploaded%20by%20the%20user%20to%20WeTransfer%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EDanny.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1045268%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20Discovery%20%7C%20Total%20amount%20of%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1045268%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112613%22%20target%3D%22_blank%22%3E%40Danny%20Kadyshevitch%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHi%20Danny%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ethanks%20for%20answering%2C%20sorry%20for%20my%20late%20response%2C%20I%20didn't%20noticed%20the%20alert%20for%20a%20new%20answer.%20So%20we%20used%20a%20file%20of%201GB%20and%20later%20a%20file%20of%20512%20MB%20to%20upload%20to%20WeTransfer.%20Later%20on%20we%20downloaded%20both%20files%20by%20using%20the%20MDATP%20connected%20W10%20device%20and%20the%20logged%20on%20corporate%20user%20account%20so%20we%20were%20sure%20that%20the%20traffic%20details%20would%20be%20collected%20by%20MDATP%2FMCAS.%20The%20upload%20and%20download%20details%20are%20not%20updated%20in%20MCAS.%20The%20specific%20user%20is%20not%20behind%20a%20proxy.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EBram%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103459%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20Discovery%20%7C%20Total%20amount%20of%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103459%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F435889%22%20target%3D%22_blank%22%3E%40Bram_InSpark%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20investigating%20this%2C%20I%20would%20be%20happy%20to%20know%20if%20you%20got%20to%20check%20in%20MDATP%20portal%20whether%20there%20was%20any%20traffic%20going%20to%20%3CEM%3Ewetransfer.com%3C%2FEM%3E%20captured%20in%20machine's%20timeline%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Dear community members,

 

we're using Microsoft Defender ATP to collect machine data in the Cloud Discovery dashboard of Microsoft Cloud App Security. Does anyone know how accurate the upload traffic is within the discovered apps overview? Below some details:

 

- User uploads 2 files to WeTransfer on endpoint level, which is onboarded into MDATP;

- User is not behind a proxy;

- Last data received field from MDATP is updated;

- Cloud Discovery doesn't show any upload traffic and no updates in the WeTransfer statistics.

 

MCAS03.png

I'm very curious how this works.

 

Kind regards,

Bram

3 Replies
Hi Bram,

Do you have any details about the size of the files that were uploaded by the user to WeTransfer?

Thanks,
Danny.

@Danny Kadyshevitch

Hi Danny,

thanks for answering, sorry for my late response, I didn't noticed the alert for a new answer. So we used a file of 1GB and later a file of 512 MB to upload to WeTransfer. Later on we downloaded both files by using the MDATP connected W10 device and the logged on corporate user account so we were sure that the traffic details would be collected by MDATP/MCAS. The upload and download details are not updated in MCAS. The specific user is not behind a proxy. 

 

Kind regards,

Bram

Hi @Bram_InSpark.

 

While investigating this, I would be happy to know if you got to check in MDATP portal whether there was any traffic going to wetransfer.com captured in machine's timeline?

 

Thanks.