Merge pull request #4340 from MicrosoftDocs/main

[AutoPublish] main to live - 06/26 01:35 PDT | 06/26 14:05 IST

Author: m365-skilling-repo-management[bot]

CloudAppSecurityDocs/activity-filters.md

@@ -1,39 +1,45 @@
 ---
 title: Investigate activities 
 description: This article provides a list of activities, filters, and match parameters that can be applied to activity policies.
-ms.date: 01/29/2023
+ms.date: 06/24/2025
 ms.topic: how-to
 ---
 
 # Investigate activities
 
 
-
 Microsoft Defender for Cloud Apps gives you visibility into all the activities from your connected apps. After you connect Defender for Cloud Apps to an app using the App connector, Defender for Cloud Apps scans all the activities that happened - the retroactive scan period differs per app - and then it's updated constantly with new activities.
 
 > [!NOTE]
-> For a full list of Microsoft 365 activities monitored by Defender for Cloud Apps, see [Search the audit log in the compliance center](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#audited-activities).
+> The activity types (such as `FileCreated`, `FileCreatedOnNetworkShare`, `ArchiveCreated`, or `FileDeleted`) and their associated data are sourced directly from the connected app’s third-party API (for example, Salesforce or ServiceNow).
+>
+> Microsoft Defender for Cloud Apps displays these activity names and types exactly as received and doesn't define or modify them. To understand the meaning of an activity, refer to the relevant third‑party API documentation.
+
+For a full list of Microsoft 365 activities monitored by Defender for Cloud Apps, see [Search the audit log in the Microsoft Purview portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#audited-activities).
+
 
 The **Activity log** can be filtered to enable you to find specific activities. You create policies based on the activities and then define what you want to be alerted about and act on. You can search for activities performed on certain files. The type of activities and the information we get for each activity depends on the app and what kind of data the app can provide.
 
 For example, you can use the **Activity log** to find users in your organization who are using operating systems or browsers that are out of date, as follows:
 After you connect an app to Defender for Cloud Apps in the **Activity log** page, use the advanced filter and select **User agent tag**. Then select **Outdated browser** or **Outdated operating system**.
 
-![Activity outdated browser example.](media/activity-example-outdated.png)
+:::image type="content" source="media/activity-filters/activity-example-outdated.png" alt-text="Screenshot that shows the Activity log with an outdated browser example." lightbox="media/activity-filters/activity-example-outdated.png":::
+
 
 The basic filter provides great tools to start filtering your activities.
 
-![basic activity log filter.](media/activity-log-filter-basic.png)
+:::image type="content" source="media/activity-filters/activity-log-filter-basic.png" alt-text="Screenshot that shows the basic activity log filter." lightbox="media/activity-filters/activity-log-filter-basic.png":::
+
 
 You can expand the basic filter by selecting **Advanced filters** to drill down into more specific activities.
 
-![advanced activity log filter.](media/activity-log-filter-advanced.png)
+:::image type="content" source="media/activity-log-filter-advanced.png" alt-text="Screenshot that shows the advanced activity log filter.":::
+
 
 > [!NOTE]
 > 
-> - The Legacy tag is added to any activity policy that uses the older "user" filter. This filter will continue to work as usual. If you want to remove the Legacy tag, you can remove the filter and add the filter again using the new **User name** filter.
-> 
-> - In some rare cases, the count of the events presented in the activity log may show a slightly higher number than the real number of events that apply for the filter and being presented.
+> - The Legacy tag is added to any activity policy that uses the older "user" filter. This filter continues to work as usual. If you want to remove the Legacy tag, you can remove the filter and add the filter again using the new **User name** filter.
+> - In some rare cases, the count of the events presented in the activity log might show a slightly higher number than the real number of events that apply for the filter and being presented.
 
 ## The Activity drawer
 
@@ -53,7 +59,7 @@ You can view more information about each activity, by selecting the Activity its
 
 - IP address category and tags: Select the IP tag to view the list of IP tags found in this activity. You can then filter by all activities matching this tag.
 
-The fields in the Activity drawer provide contextual links to additional activities and drill-downs you may want to perform from the drawer directly. For example, if you move your cursor next to the IP address category, you can use the **add to filter** icon ![add to filter.](media/add-to-filter-icon.png) to immediately add the IP address to the current page's filter. You can also use the settings cog icon ![settings icon](media/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **User groups**.
+The fields in the Activity drawer provide contextual links to additional activities and drill-downs you might want to perform from the drawer directly. For example, if you move your cursor next to the IP address category, you can use the **add to filter** icon ![add to filter.](media/activity-filters/add-to-filter-icon.png) to immediately add the IP address to the current page's filter. You can also use the settings cog icon ![settings icon](media/activity-filters/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **User groups**.
 
 You can also use the icons at the top of the tab to:
 
@@ -63,7 +69,9 @@ You can also use the icons at the top of the tab to:
 - View activities from the exact geographic location
 - View activities from the same period (48 hours)
 
-![activity drawer.](media/activity-drawer.png "activity drawer")
+
+:::image type="content" source="media/activity-filters/activity-drawer.png" alt-text="Screenshot that shows the activity drawer." lightbox="media/activity-filters/activity-drawer.png":::
+
 
 For a list of governance actions available, see [Activity governance actions](governance-actions.md#activity-governance-actions).
 
@@ -84,7 +92,8 @@ Selecting it opens the Activity drawer **User** tab provides the following insig
     - **ISPs**: The number of ISPs the user connected from in the past 30 days.
     - **IP addresses**: The number of IP addresses the user connected from in the past 30 days.
 
-![user insights in Defender for Cloud Apps.](media/user-insights.png)
+:::image type="content" source="media/user-insights.png" alt-text="Screenshot that shows user insights, user activities and frequent alert locations for Defender for Cloud apps." lightbox="media/user-insights.png":::
+
 
 #### IP address insights
 
@@ -112,10 +121,11 @@ To view IP address insights:
         - Set as a VPN IP address and add to allowlist
         - Set as a Risky IP and add to blocklist
 
-![IP address insights in Defender for Cloud Apps.](media/ip-address-insights.png)
+:::image type="content" source="media/activity-filters/ip-address-insights.png" alt-text="Screenshot that shows Ip address activities over the last 30 days." lightbox="media/activity-filters/ip-address-insights.png":::
+
 
 > [!NOTE]
->- Internal IPv4 or IPv6 IP addresses audited by the cloud applications connected with API, may indicate internal services communications within the network of the cloud application, and shouldn't be confused with internal IPs from the source network the device connected from, as the cloud application is not exposed to the internal IPs of the devices.
+>- Internal IPv4 or IPv6 IP addresses audited by the cloud applications connected with API, might indicate internal services communications within the network of the cloud application, and shouldn't be confused with internal IPs from the source network the device connected from, as the cloud application isn't exposed to the internal IPs of the devices.
 >- To avoid raising [impossible travel](anomaly-detection-policy.md#impossible-travel) alerts when employees connect from their home locations via the corporate VPN, it's recommended to tag the IP address as **VPN**.
 
 ## Export activities
@@ -124,7 +134,8 @@ You can export all user activities to a CSV file.
 
 In the **Activity log**, select the **Export** button in the top-left corner.
 
-![export button.](media/export-button.png)
+:::image type="content" source="media/activity-filters/export-button.png" alt-text="Screenshot that shows the export button in the Activity log.":::
+
 
 [!INCLUDE [Handle personal data](../includes/gdpr-intro-sentence.md)]
 

CloudAppSecurityDocs/data-protection-policies.md

@@ -268,7 +268,7 @@ You can view more information about each file, by selecting the file itself in t
 - **Matched policies** - See a list of policies the file matched.
 - **Sensitivity labels** - View the list of sensitivity labels from Microsoft Purview Information Protection found in this file. You can then filter by all files matching this label.
 
-The fields in the File drawer provide contextual links to files and drill downs you might want to perform from the drawer directly. For example, if you move your cursor next to the **Owner** field, you can use the "add to filter" icon ![add to filter.](media/add-to-filter-icon.png) to add the owner immediately to the filter of the current page. You can also use the settings cog icon ![settings icon.](media/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **Sensitivity labels**.
+The fields in the File drawer provide contextual links to files and drill downs you might want to perform from the drawer directly. For example, if you move your cursor next to the **Owner** field, you can use the "add to filter" icon ![add to filter.](media/activity-filters/add-to-filter-icon.png) to add the owner immediately to the filter of the current page. You can also use the settings cog icon ![settings icon.](media/activity-filters/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **Sensitivity labels**.
 
 :::image type="content" source="media/file-policies/file-drawer.png" alt-text="Screenshot showing the file drawer" lightbox="media/file-policies/file-drawer.png":::
 

CloudAppSecurityDocs/media/activity-drawer.png renamed to CloudAppSecurityDocs/media/activity-filters/activity-drawer.png

@@ -173,8 +173,8 @@ To export Cloud discovery logs from the cloud discovery dashboard:
 
 1. Above the table, select the export button. For example:
 
-    ![Screenshot of the export button.](media/export-button.png)
-   
+    :::image type="content" source="media/activity-filters/export-button.png" alt-text="Screenshot that shows the export button.":::
+
 
 1. Select the range of the report and select **Export**. This process may take some time.