No usage data in Cloud App Security since 9 March

%3CLINGO-SUB%20id%3D%22lingo-sub-1266883%22%20slang%3D%22en-US%22%3ENo%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1266883%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20noticed%20that%20we%20are%20not%20getting%20data%20for%20some%20apps%20since%20somewhere%20around%209%20March.%20Usage%20data%20stopped%20in%20a%20miracle%20way%20for%20apps%20like%20OneDrive%2C%20Teams%2C%20YouTube%2C%20Spotify%20etc.%20Means%20that%20it%20won%E2%80%99t%20show%2C%20how%20many%20users%2C%20traffic%20and%20which%20users%20used%20the%20apps.%3C%2FP%3E%3CP%3EExchange%20and%20Sharepoint%20do%20still%20showing%20correct%20information.%3C%2FP%3E%3CP%3EIs%20there%20something%20I%20can%20check%20or%20is%20there%20a%20platform%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1266883%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1269064%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269064%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410818%22%20target%3D%22_blank%22%3E%40Elduderino%3C%2FA%3EHow%20is%20your%20MCAS%20discovery%20configured%3F%26nbsp%3B%20Could%20it%20be%20a%20problem%20with%20an%20appliance%20not%20sending%20the%20logs%2C%20or%20are%20you%20using%20Defender%20ATP%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270346%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270346%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3Bwe%20are%20using%20Defender%20ATP%20so%20the%20setup%20is%20straight%20forward.%26nbsp%3B%20Setting%20%22automatic%20log%20upload%22%20shows%20an%20active%20connection.%20Did%20turn%20the%20integration%20on%20and%20off%20again%2C%20no%20luck.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270688%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270688%22%20slang%3D%22en-US%22%3EI'd%20be%20inclined%20to%20raise%20a%20support%20request%20with%20Microsoft%20to%20start%20with%20as%20it%20could%20potentially%20be%20a%20problem%20their%20end.%20A%20support%20engineer%20will%20at%20least%20be%20able%20to%20remote%20onto%20your%20console%20with%20you%20and%20investigate%20together.%20Some%20troubleshooting%20thoughts%20but%20you've%20probably%20already%20checked%20these%3A%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20forwarding%20set%20up%20in%20the%20the%20Defender%20ATP%20portal's%20advanced%20features%3F%3CBR%20%2F%3EIn%20MCAS's%20Cloud%20Discovery%20page%2C%20there's%20a%20Machines%20tab%20-%20how%20do%20the%20endpoints%20report%3F%3CBR%20%2F%3EAre%20all%20your%20endpoints%20licensed%20correctly%20with%20an%20M365%20E5%20subscription%20running%20Windows%2010%20A%2FE5%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270853%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270853%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3BI%20will%20raise%20a%20ticket.%20Defender%20ATP%20forwarding%20is%20enabled%20and%20did%20work%20over%20the%20last%206%20months%2C%20till%20the%20beginning%20of%20March.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20licensed%20for%20Cloud%20App%20discovery%20and%20we%20have%20some%20users%20with%20the%20E5%20license.%20We%20don't%20use%20Cloud%20app%20security%20in%20full%20extent%2C%20but%20we%20only%20monitor%20what%20is%20being%20used%2C%20so%20Discovery.%3C%2FP%3E%3CP%3EMachines%20are%20reporting%20to%20Cloud%20app%20security%2C%20but%20when%20I%20zoom%20in%2C%20only%20a%20few%20apps%20do%20report%20traffic%20and%20usage%20data.%20gives%20me%20the%20feeling%20that%20the%20integration%20with%20Defender%20ATP%20doesn't%20work%20correctly%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603850%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603850%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410818%22%20target%3D%22_blank%22%3E%40Elduderino%3C%2FA%3E%26nbsp%3Bdid%20you%20get%20any%20answers%3F%20We%20have%20the%20same%20problem%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603927%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603927%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F766936%22%20target%3D%22_blank%22%3E%40NinjaKitty%3C%2FA%3E%26nbsp%3B%20The%20issue%20was%20caused%20by%20a%20change%20they%20have%20done.%20They%20told%20me%20that%20this%20change%20would%20improve%20the%20data%20report%20reliability%20of%20the%20detected%20cloud%20apps.%20However%20with%20the%20first%20change%20they%20introduced%20quite%20some%20issues%2C%20this%20will%2Fhas%20been%20fixed%20(at%20least%20they%20say)%20in%20later%20changes.%3C%2FP%3E%3CP%3EHowever%20I%20have%20still%20the%20feeling%20that%20it%20is%20not%20reliable%2C%20the%20data%20is%20absolutely%20not%20correct.%3C%2FP%3E%3CP%3EOneDrive%20for%20Business%20and%20teams%20were%20previously%20reported%20as%20separate%20apps%20however%20they%20removed%20this%20and%20it%20is%20now%20reported%20all%20together%20as%20SharePoint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20really%20disappointing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1616127%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1616127%22%20slang%3D%22en-US%22%3EHey%20both%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20received%20a%20fix%20for%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3ECheers%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1616161%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1616161%22%20slang%3D%22en-US%22%3ESituation%20is%20still%20the%20same%20here.%20YouTube%20is%20listed%20inside%20the%20Cloud-App-Catalog%2C%20but%20no%20usage%20captured%20in%20Cloud%20Discovery.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1616504%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1616504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8518%22%20target%3D%22_blank%22%3E%40Matthew%20Barrett%3C%2FA%3E%26nbsp%3Bno%2C%20not%20at%20all.%20Everything%20is%20fine....or%20they%20are%20working%20on%20it%2C%20is%20the%20answer.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1732993%22%20slang%3D%22en-US%22%3ERe%3A%20No%20usage%20data%20in%20Cloud%20App%20Security%20since%209%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1732993%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410818%22%20target%3D%22_blank%22%3E%40Elduderino%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20luck%20with%20this%2C%20still%20not%20working%20as%20expected%20for%20me...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We noticed that we are not getting data for some apps since somewhere around 9 March. Usage data stopped in a miracle way for apps like OneDrive, Teams, YouTube, Spotify etc. Means that it won’t show, how many users, traffic and which users used the apps.

Exchange and Sharepoint do still showing correct information.

Is there something I can check or is there a platform issue?

10 Replies

@ElduderinoHow is your MCAS discovery configured?  Could it be a problem with an appliance not sending the logs, or are you using Defender ATP?

@Ru we are using Defender ATP so the setup is straight forward.  Setting "automatic log upload" shows an active connection. Did turn the integration on and off again, no luck.

I'd be inclined to raise a support request with Microsoft to start with as it could potentially be a problem their end. A support engineer will at least be able to remote onto your console with you and investigate together. Some troubleshooting thoughts but you've probably already checked these:

Is forwarding set up in the the Defender ATP portal's advanced features?
In MCAS's Cloud Discovery page, there's a Machines tab - how do the endpoints report?
Are all your endpoints licensed correctly with an M365 E5 subscription running Windows 10 A/E5?

@Ru I will raise a ticket. Defender ATP forwarding is enabled and did work over the last 6 months, till the beginning of March.

 

We are licensed for Cloud App discovery and we have some users with the E5 license. We don't use Cloud app security in full extent, but we only monitor what is being used, so Discovery.

Machines are reporting to Cloud app security, but when I zoom in, only a few apps do report traffic and usage data. gives me the feeling that the integration with Defender ATP doesn't work correctly

 

Thanks.

@Elduderino did you get any answers? We have the same problem here.

@NinjaKitty  The issue was caused by a change they have done. They told me that this change would improve the data report reliability of the detected cloud apps. However with the first change they introduced quite some issues, this will/has been fixed (at least they say) in later changes.

However I have still the feeling that it is not reliable, the data is absolutely not correct.

OneDrive for Business and teams were previously reported as separate apps however they removed this and it is now reported all together as SharePoint.

 

So really disappointing.

Hey both,

Have you received a fix for this?

Cheers
Situation is still the same here. YouTube is listed inside the Cloud-App-Catalog, but no usage captured in Cloud Discovery.

@Matthew Barrett no, not at all. Everything is fine....or they are working on it, is the answer.

Hi @Elduderino 

 

Any luck with this, still not working as expected for me...

 

Cheers,