We are pleased to share that we have expanded coverage of the CloudAppEvents table in advanced hunting to now include non-Microsoft cloud app activities monitored by Microsoft Defender for Cloud Apps. In addition, we have added new columns to the CloudAppEvents table like IsExternalUser, IsImpersonated, and more. Together, these enhancements can help you better hunt for threats in cloud app activities using advanced hunting in Microsoft 365 Defender.
Cloud apps can be a valuable entry point for attackers, so it is recommended to monitor anomalies and suspicious behaviors that use cloud apps. Previously, advanced hunting users could only look for threat activity in Microsoft applications like Exchange Online, SharePoint Online and Teams. If you wanted to look at cloud app activity by non-Microsoft apps, you would have to look in the activity log in the Microsoft Defender for Cloud Apps portal where you had limited querying and control abilities.
Now, in advanced hunting, you can also query cloud app activities related to Amazon Web Services, Google Workspace, Box, Dropbox, Slack, and more. For example, you can query GitHub to see if someone enabled private repository forking, which, if abused or used maliciously, allows easier exfiltration from the repo:
CloudAppEvents
| where Application == "GitHub" and ActionType == "private_repository_forking.enable"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode
| take 50
Or for example, in Amazon Web Services, you can find out what were the policy changes in Identity and Access Management (IAM) and which users or groups were changed in the policies:
CloudAppEvents
| where Application == "Amazon Web Services"
| where ActionType in~ ("AttachGroupPolicy", "AttachRolePolicy", "AttachUserPolicy", "CreatePolicy", "DeleteGroupPolicy", "DeletePolicy", "DeleteRolePolicy", "DeleteUserPolicy", "DetachGroupPolicy", "PutUserPolicy", "PutGroupPolicy", "CreatePolicyVersion", "DeletePolicyVersion", "DetachRolePolicy", "CreatePolicy")
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode
| take 100
In addition to including the non-Microsoft applications and to further support the ability to hunt for more scenarios like the recent Nobelium attack, we added more columns to the CloudAppEvents table that can help you look for threat activities more effectively:
Here are a few more handy examples which make use of these fields:
To check if an activity was performed by an external admin:
CloudAppEvents
| where IsExternalUser == 1 and AccountType == "Admin"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode, IsExternalUser, AccountType
| take 50
Or simply to check which activities were preformed from a risky IP:
CloudAppEvents
| where IPCategory = "Risky"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode, IsExternalUser, AccountType
| take 50
We hope these additional data points can help you in protecting your network from attackers that take advantage of cloud apps. As usual, we would love to hear your feedback, and you can share your feedback with us in the Microsoft 365 Defender portal or by emailing AHfeedback@microsoft.com.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.