Alerts from actions in apps that are not connected

%3CLINGO-SUB%20id%3D%22lingo-sub-2944818%22%20slang%3D%22en-US%22%3EAlerts%20from%20actions%20in%20apps%20that%20are%20not%20connected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2944818%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20type%20of%20policy%20template%20should%20we%20use%20if%20we%20want%20to%20get%20notified%20when%20someone%20tries%20to%20upload%20a%20file%20to%20an%20app%20that%20is%20not%20one%20of%20the%20%22Connected%22%20apps%3F%20I%20was%20thinking%20that%20I%20should%20use%20and%20Activity%20Policy%2C%20but%20I'm%20having%20difficulty%20configuring%20the%20filters.%20If%20I%20choose%20App%20equals%2C%20then%20the%20only%20choices%20are%20for%20apps%20that%20have%20already%20been%20connected.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Respected Contributor

What type of policy template should we use if we want to get notified when someone tries to upload a file to an app that is not one of the "Connected" apps? I was thinking that I should use and Activity Policy, but I'm having difficulty configuring the filters. If I choose App equals, then the only choices are for apps that have already been connected. 

4 Replies
Defender for Cloud Apps does not have any visibility into what is happening in the app unless it is connected via App Connector or via CAAC. There is no general forward proxy in Defender for Cloud Apps to watch all activity to any app. Instead, it is focused on protecting your sanctioned SaaS apps.
Thanks, what is CAAC?
Conditional Access App Control, a feature of MDCA.

Sorry, I generally presume if you are posting a question to the forum, you have already reviewed the extensive product documentation.

https://docs.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad
I have read those docs and that acronym does not show up on the page. Keeping up with the alphabet soup of old and new products is quite a challenge. I don't recall seeing that FLA in the past 5 years of using MS security products.