Microsoft Defender for Cloud Apps (MDA)

Cloud & SaaSIdentity & DirectoryCloud Control PlaneSIEM / Log Aggregator

Location

Microsoft Defender Portal > Cloud Apps > Activity Log (or API)

Description

Cloud Access Security Broker (CASB) logging OAuth app activity, shadow IT discovery via cloud app usage, impossible travel alerts, mass download detections, suspicious inbox manipulation, and governance actions across connected cloud services.

Forensic Value

MDA provides visibility into cloud application usage and data movement that other M365 logs miss. The Activity Log records granular actions across connected apps (Box, Salesforce, AWS) in addition to M365 services. Anomaly detection policies surface impossible travel, activity from anonymous IPs, and mass file downloads. OAuth app governance alerts identify malicious app consent grants. Session policies can reveal real-time data exfiltration attempts.

Tools Required

Microsoft Defender PortalPowerShellMicrosoft Graph APISIEM (Sentinel)

Collection Commands

Graph API

GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftCloudAppSecurity' and createdDateTime ge 2024-01-01T00:00:00Z

PowerShell

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType McasAlerts -ResultSize 5000 | Export-Csv mda_alerts.csv -NoTypeInformation

KQL

McasShadowItReporting | where TimeGenerated > ago(30d) | summarize TotalBytes=sum(BytesUploaded + BytesDownloaded) by AppName | sort by TotalBytes desc | take 50

MITRE ATT&CK Techniques

T1550.001T1098.003T1078.004T1530T1538

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical