We’re thrilled to share that the new CloudAppEvents table is now available as a public preview in advanced hunting for Microsoft 365 Defender.
This new advanced hunting schema table contains activities monitored by Microsoft Cloud App Security (MCAS) involving the following services:
Microsoft Exchange Online
In Microsoft 365 Defender advanced hunting, you can use Kusto Query Language (KQL) to proactively find threat activity involving these applications including setting inbox rules, mailbox permissions, and Teams channels updates.
This new table includes:
Precise location information in these columns:
UserAgent information from web browsers or other client applications
ActivityObjects column listing various objects involved in the recorded event, such as files or folders. This is identical to what is already displayed for each activity in Cloud App Security.
In early 2021, this table will also include activities involving the following O365 services:
OneDrive for Business
Replacing the AppFileEvents table
The AppFileEvents table, which contains file activities from these applications, will stop getting populated with new data in early 2021. Activities involving these applications, including file activities, will be recorded in the new CloudAppEvents table. In addition to this change, SMB file copy activity (action type: SmbFileCopy) from Microsoft Defender for Identity currently stored in the AppFileEvents table will be moved to the IdentityDirectoryEvents.
If you have any saved queries, custom detection rules or queries running through the API, using the AppFileEvents table, please make sure to edit them to work with the CloudAppEvents table.
For example, here is a query that checks the AppFileEvents table:
AppFileEvents | where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online" | where FileName endswith ".xlsx" | project Timestamp, ActionType, Application, FileName, FolderPath, AccountObjectId, AccountDisplayName, IPAddress, Location | take 50
You can edit it to use the CloudAppEvents table like so:
CloudAppEvents | where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online" | where ObjectType == "File" and ObjectName endswith ".xlsx" | project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode | take 50
Sample queries with CloudAppEvents
Here are some samples queries that might help you understand how to use this new table:
//Activities from a specific app CloudAppEvents | where Application == "Microsoft SharePoint Online" | take 100
//Activities made by a specific user, the user is the "actor" letuser = "<user name>" ; CloudAppEvents | where AccountDisplayName == user | take 100
//Activities involving a specific user, the user is with any role, not "actor" only letuser = "<user name>" ; CloudAppEvents | where ActivityObjects has user | take 100
//Activities on a specific file letfileName = "<file name>"; CloudAppEvents | where ObjectType == and ObjectName == fileName | take 100
//Activities from specific IP address CloudAppEvents | where IPAddress == "<IP>" | take 100
//Activities from a specific user agent CloudAppEvents | where UserAgent == "<user agent>" | take 100
As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or contact us at AHfeedback@microsoft.com.