Cloud App Discovery and Activity Monitoring
Discover unsanctioned cloud apps across your organization, interpret the activity log, and respond to risky app usage patterns.
Shining a light on shadow IT
Cloud App Discovery is a full audit of every cloud service your employees actually use — not just the ones you approved.
Here’s the reality: your company might officially use Microsoft 365 and Salesforce. But your marketing team is using Canva. Finance is using a free invoice tool. Engineering is sharing code on a platform you’ve never heard of. A departing employee is syncing files to a personal cloud storage account. None of these show up in your IT asset list.
Cloud App Discovery analyses your network traffic (or device telemetry from Defender for Endpoint) and builds a complete picture of every cloud service being accessed. It doesn’t just list them — it scores each app for risk, tells you how many users are on it, how much data is flowing to it, and whether it meets your compliance requirements.
How Cloud App Discovery discovers apps
Method 1: Log collector (firewall and proxy logs)
The traditional approach — export traffic logs from your network appliances and feed them to Defender for Cloud Apps.
| Step | Detail |
|---|---|
| 1. Deploy log collector | Docker container or virtual appliance in your network that receives syslog from firewalls/proxies |
| 2. Configure data sources | Select your firewall vendor format (Palo Alto, Fortinet, Zscaler, etc.) |
| 3. Forward logs | Point firewall syslog output to the log collector’s IP address |
| 4. Automatic parsing | Defender for Cloud Apps parses the logs, extracts cloud app URLs, and matches them to the app catalog |
| 5. Continuous analysis | New logs are processed automatically — discovery stays current |
Limitation: log-based discovery only sees traffic that passes through the firewall. Remote workers on personal networks, split-tunnel VPN traffic, and direct internet access bypass your firewall — those apps are invisible.
Method 2: Defender for Endpoint integration
The modern approach — and the one the exam favors. MDE-based discovery uses endpoint telemetry instead of network logs.
| Advantage | Why it matters |
|---|---|
| Per-device attribution | See which specific device accessed each app — not just an IP address |
| Works anywhere | Discovers apps even when users are remote, off-VPN, or on personal networks |
| No infrastructure changes | No log collector deployment, no syslog configuration, no firewall reconfiguration |
| Real-time | Discovery is continuous — no batch log uploads |
| Enables app blocking | Can block access to unsanctioned apps directly on the endpoint via network protection |
| Feature | Log Collector | MDE Integration |
|---|---|---|
| Data source | Firewall/proxy traffic logs | Endpoint sensor telemetry |
| Deployment effort | Docker container + syslog config | No additional deployment (uses existing MDE sensor) |
| Remote worker visibility | Only if traffic routes through corporate firewall | Full visibility regardless of network location |
| Device-level attribution | No | Yes |
| App blocking capability | No | Yes |
| Best for | Organizations without MDE or with unmanaged devices | Organizations with MDE deployed across their fleet |
Dev's discovery approach for client audits
Dev Patel uses a two-phase approach when auditing new clients:
Phase 1 — Quick discovery (week 1): Enable MDE integration for Cloud App Discovery on existing onboarded devices. This gives immediate visibility into cloud app usage without any infrastructure changes. Dev typically discovers 200-400 cloud apps at enterprise clients within the first 48 hours.
Phase 2 — Full coverage (weeks 2-4): Deploy log collectors on perimeter firewalls to capture traffic from unmanaged devices (printers, IoT, guest networks) that MDE doesn’t cover. Cross-reference both data sources for a complete picture.
Dev’s experience: the MDE integration alone captures 85-90% of cloud app usage in most organizations. Log collectors fill the remaining gaps from non-MDE-managed devices.
The Cloud App Catalog — risk-scoring every app
When Cloud App Discovery identifies an app, it matches the app against the Cloud App Catalog — a database of over 31,000 cloud applications, each scored across 90+ risk factors.
Risk score components
Each app receives a score from 1 to 10 (10 being lowest risk):
| Category | What it evaluates |
|---|---|
| General | Company age, domain registration, headquarters location |
| Security | Encryption at rest, encryption in transit, MFA support, audit logging, SOC 2 certification |
| Compliance | GDPR, HIPAA, ISO 27001, SOC 1/2/3, FedRAMP, CSA STAR certifications |
| Legal | Data ownership clauses, data retention policies, DMCA compliance |
Sanctioning apps
After reviewing discovery results, you classify apps:
- Sanctioned — approved for use. No restrictions applied. Marked with a green checkmark in discovery reports.
- Unsanctioned — not approved. Can be blocked at the endpoint via MDE network protection or tagged for follow-up. Marked as blocked in the catalog.
- Monitored — under review. Not blocked but flagged for increased scrutiny. Useful during evaluation periods.
Exam tip: Blocking unsanctioned apps
The exam tests how unsanctioned apps are blocked. Two enforcement mechanisms:
- Defender for Endpoint network protection — when you mark an app as Unsanctioned in the Cloud App Catalog, MDE can block access to that app’s domains directly on the endpoint. Requires MDE onboarding and network protection enabled. Works regardless of user location.
- Firewall/proxy block lists — export the unsanctioned app domain list and add it to your firewall rules. Manual process, only blocks traffic through the firewall.
MDE-based blocking is the preferred method — it works for remote users, doesn’t require firewall changes, and enforces automatically when you update the app status in the catalog.
The activity log — your investigation command center
The activity log is the central timeline of all user and admin actions detected across connected apps. Every sign-in, file download, sharing change, and admin action appears here.
Reading the activity log
Each log entry contains:
| Field | Description |
|---|---|
| Timestamp | When the activity occurred (UTC) |
| User | The user who performed the action |
| App | Which connected cloud app (M365, Salesforce, Box, etc.) |
| Activity type | The specific action (sign-in, download, share, delete, permission change) |
| IP address | Source IP of the activity |
| Location | Geolocation derived from the IP address |
| Device | Device information when available (from MDE integration) |
Filtering and investigation
The activity log supports advanced filtering to narrow down investigations:
- User — filter to a specific user’s activities across all connected apps
- IP address — find all activities from a suspicious IP
- Activity type — isolate specific action types (e.g., all file downloads in the last 24 hours)
- App — focus on a single connected application
- Date range — narrow the time window for investigation
- Location — filter by country or city
Dev uses the activity log during incident investigations to build a timeline: “Show me everything this user did across all connected apps in the 48 hours before the incident.”
Exporting activity data
Activity log data can be exported to CSV for offline analysis, compliance documentation, or integration with SIEM platforms. Maximum export: 5,000 activities per query. For larger datasets, use the Defender for Cloud Apps API.
Responding to discovered risks
Discovery is only valuable if you act on what you find. Here’s the response playbook:
Immediate actions for high-risk findings
| Finding | Response |
|---|---|
| High-risk app with many users | Unsanction the app, block via MDE, communicate approved alternatives to users |
| Data exfiltration pattern | Investigate the activity log, identify affected files and users, apply governance actions |
| Unauthorized file storage apps | Block the app, create a file policy to detect future uploads, review what data was stored |
| Apps failing compliance requirements | Unsanction if compliance is mandatory (HIPAA, GDPR), document risk if exception is needed |
Long-term governance
- Create activity policies to alert on future usage of newly discovered risky apps
- Establish an app request process — give users a way to request new apps through IT rather than adopting shadow IT
- Regular discovery reviews — schedule monthly reviews of new apps appearing in the discovery dashboard
- Integrate with Conditional Access — route sessions for monitored apps through CAAC for real-time control
Dev audits a client's SaaS landscape
Dev runs a Cloud App Discovery audit for a 5,000-user manufacturing client. Results after two weeks of data collection:
- 347 cloud apps discovered (the client believed they used about 40)
- 28 apps scored below 4 out of 10 (high risk — no encryption, no compliance certifications, hosted in jurisdictions with no data protection laws)
- 3 file storage apps being used as alternatives to OneDrive — employees found them “easier to share with external partners”
- 1 HR tool storing employee data including national ID numbers — the vendor had no SOC 2 certification and no data processing agreement
Dev’s recommendations: immediately block the 12 highest-risk apps via MDE, work with department heads to migrate users from the 3 file storage apps to OneDrive with external sharing configured properly, and engage legal to review the HR tool’s data handling practices. The remaining low-risk apps were monitored for 90 days before a sanction/unsanction decision.
Knowledge check
Dev enables Defender for Endpoint integration for Cloud App Discovery at a client site. After 48 hours, the dashboard shows 280 cloud apps discovered. However, the client's firewall team reports they see traffic to approximately 50 additional cloud services from network segments that contain printers, conference room systems, and IoT devices. Why are these 50 apps missing from discovery?
Priya reviews the Cloud App Discovery dashboard at GlobalReach and finds that 400 employees are using a file-sharing app called 'QuickDrop' with a risk score of 2 out of 10. The app has no encryption at rest, no SOC 2 certification, and is hosted in a jurisdiction with no data protection laws. What is the correct sequence of actions?
Elena is reviewing the activity log in Defender for Cloud Apps after receiving an alert about a MedGuard Health nurse downloading 200 patient files from SharePoint in 15 minutes. She filters the activity log by user and sees the following timeline: 08:00 sign-in from hospital IP, 08:05 normal file access, 09:30 sign-in from unknown IP in another country, 09:32 mass file download begins. What should Elena conclude?
🎬 Video coming soon
Domain 3 nearing completion! Next up: Domain 4 — Sensitive Information Types — begin building your data protection strategy with Microsoft Purview.