Microsoft Defender for Cloud Apps (MDA)

m365-azureIdentity & DirectoryCloud Admin PortalSIEM / Log Aggregator

Location

Microsoft Defender Portal > Cloud Apps > Activity Log (or API)

Description

Cloud Access Security Broker (CASB) logging OAuth app activity, shadow IT discovery via cloud app usage, impossible travel alerts, mass download detections, suspicious inbox manipulation, and governance actions across connected cloud services.

Forensic Value

MDA provides visibility into cloud application usage and data movement that other M365 logs miss. The Activity Log records granular actions across connected apps (Box, Salesforce, AWS) in addition to M365 services. Anomaly detection policies surface impossible travel, activity from anonymous IPs, and mass file downloads. OAuth app governance alerts identify malicious app consent grants. Session policies can reveal real-time data exfiltration attempts.

Tools Required

Microsoft Defender PortalPowerShellMicrosoft Graph APISIEM (Sentinel)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical