1.6 Secure Cloud Apps with Microsoft Defender for Cloud Apps

10-14 hours · Module 1 · Free

Secure Cloud Apps and Services with Microsoft Defender for Cloud Apps

SC-200 Exam Objective

Domain 3 — Manage Incident Response: "Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps."

Introduction

Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that provides visibility into cloud application usage, detects anomalous behavior, and enforces data protection policies across both Microsoft and third-party SaaS applications.

This subsection teaches you what Defender for Cloud Apps monitors, how it detects threats like OAuth abuse and data exfiltration, and how to investigate and respond to cloud app alerts. This product is particularly important for Module 11 (AiTM investigation) because the attacker’s post-compromise activity — inbox rule creation, mailbox access, OAuth app consent — is detected by Defender for Cloud Apps.

What Defender for Cloud Apps protects

Capability	What it does	Investigation value
Cloud Discovery	Identifies all SaaS applications used in the organization (including shadow IT)	Reveals unauthorized applications that may pose data leakage risk
App connectors	Connects to SaaS APIs (M365, Salesforce, Google, etc.) for deep activity monitoring	Provides CloudAppEvents data for investigation
Conditional Access App Control	Proxies user sessions to enforce real-time access controls	Blocks download of sensitive files, monitors clipboard activity
OAuth app governance	Monitors OAuth app registrations and consent grants	Detects consent phishing (Module 15 topic), overprivileged apps
Anomaly detection policies	Built-in ML-based detection for impossible travel, mass download, suspicious inbox rules	Generates alerts for post-compromise behavior

Key CloudAppEvents investigation patterns

1
2
3
4
5
6
7
// Detect suspicious inbox rule creation (post-compromise indicator)
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "New-InboxRule"
| extend RuleDetails = tostring(RawEventData)
| where RuleDetails has_any ("delete", "forward", "redirect", "junk", "archive")
| project Timestamp, AccountDisplayName, RuleDetails

Expected Output

Timestamp	AccountDisplayName	RuleDetails (truncated)
08:15	Jordan Morrison	...MoveToFolder: "Deleted Items", SubjectContains: "invoice"...

What to look for: Inbox rules that delete, forward, or redirect emails — especially rules targeting keywords like "invoice," "payment," "security," or "password." Attackers create these rules to hide their activity (delete security notifications) or intercept sensitive communications (forward invoices for BEC). This rule creation at 08:15 — one minute after the suspicious sign-in in subsection 1.2 — confirms post-compromise activity.

Response actions

Action	When to use
Revoke OAuth app	Malicious app granted consent — revoke its permissions immediately
Suspend user	Account compromise detected in cloud apps — suspend prevents further cloud activity
Require re-authentication	Force step-up auth via conditional access app control
Governance actions	Automated responses: revoke app, notify user, require re-auth

Check your understanding

1. An attacker creates an inbox rule on j.morrison's mailbox that forwards all emails containing "invoice" to an external address. Which Defender product detects this?

Defender for Cloud Apps — CloudAppEvents captures inbox rule creation with the rule details. The anomaly detection policy for "suspicious inbox rule" fires because the rule forwards to an external address and targets financial keywords. This is a classic BEC preparation step covered in Module 12.

Defender for Office 365

Defender for Endpoint

Inbox rule creation is a cloud application event, not an email event. Defender for Office 365 handles email delivery and scanning. Defender for Cloud Apps handles mailbox configuration changes including rule creation. Understanding which product detects which activity prevents you from looking in the wrong place during investigation.

← 1.5 Mitigate Threats Using Microsoft Defender for Identity 1.7 Unified Portal Operations: Daily SOC Workflow →