Merge pull request #4665 from MicrosoftDocs/main

[AutoPublish] main to live - 08/05 04:30 PDT | 08/05 17:00 IST

Author: m365-skilling-repo-management[bot]

CloudAppSecurityDocs/behaviors.md

@@ -1,7 +1,7 @@
 ---
 title: Investigate behaviors with advanced hunting | Microsoft Defender for Cloud Apps
 description: Learn how to investigate Microsoft Defender for Cloud App behaviors with Microsoft Defender XDR advanced hunting.
-ms.date: 09/07/2023
+ms.date: 08/05/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Cloud Apps customer, I want to understand how behaviors work so that I can investigate more effectively.
 ---
@@ -10,9 +10,9 @@ ms.topic: how-to
 
 
 
-While some anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that doesn't necessarily indicate a compromise. In such cases, Microsoft Defender for Cloud Apps uses a separate data type, called *behaviors*.
+While some anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that doesn't necessarily indicate a compromise. In such cases, Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud use a separate data type, called *behaviors*.
 
-This article describes how to investigate Defender for Cloud Apps behaviors with Microsoft Defender XDR advanced hunting.
+This article describes how to investigate Defender for Cloud Apps and Defender for Cloud behaviors with Microsoft Defender XDR advanced hunting.
 
 Have feedback to share? Fill out our [feedback form](https://forms.office.com/r/x0mX5hBkGu)!
 
@@ -27,7 +27,7 @@ While behaviors might be related to security scenarios, they're not necessarily
 
 ## Supported detections
 
-Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
+Behaviors currently support low-fidelity, Defender for Cloud Apps and Defender for Cloud detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
 
 |Alert name  |Policy name  |ActionType (Hunting)|
 |---------|---------|---------|

defender-xdr/advanced-hunting-cloudstorageaggregatedevents-table.md

@@ -0,0 +1,157 @@
+---
+title: CloudStorageAggregatedEvents table in the advanced hunting schema
+description: Learn about the CloudStorageAggregatedEvents table in the advanced hunting schema, which contains information about storage activity and related events.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords:
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 08/05/2025
+---
+
+# CloudStorageAggregatedEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+The `CloudStorageAggregatedEvents` table in the [advanced hunting](advanced-hunting-overview.md) contains information about storage activity and related events. Use this reference to construct queries that return information from this table.
+
+> [!IMPORTANT]
+> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This advanced hunting table is populated by records from [Microsoft Defender for Cloud](/azure/defender-for-cloud/concept-integration-365#advanced-hunting-in-xdr). If your organization doesn't have Microsoft Defender for Cloud, queries that use the table aren’t going to work or return any results. For more information about prerequisites in integrating Defender for Cloud with Defender XDR, read [Microsoft Defender XDR integration](/azure/defender-for-cloud/concept-integration-365).
+
+
+For information on other tables in the advanced hunting schema, see the [advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `DataAggregationStartTime` | `datetime` | The start time during which the data was aggregated |
+| `DataAggregationEndTime` | `datetime` | The end time during which the data was aggregated |
+| `DataSource` | `string` | The source of the aggregated logs |
+| `SubscriptionId` | `string` | Unique identifier assigned to the Azure subscription |
+| `ResourceGroup` | `string` | Name of the resource group where the storage account resides |
+| `StorageAccount` | `string` | The identifier for the storage account |
+| `StorageContainer` | `string` | The identifier for the storage container | 	
+| `StorageFileShare` | `string` | The identifier for the storage file share | 	 
+| `ServiceType` | `string` | Specifies the type of storage service (for example, Blob, ADLS Gen2, Files.REST, Files.SMB) | 	 
+| `IpAddress` | `string` | The IP addresses from which the storage was accessed |  	 
+| `UserAgentHeader` | `string` | Details of the user agent accessing the storage (for example, browser or application) | 	 
+| `OperationNamesList` | `object` | A list of storage operations performed (for example, CreateContainer, DeleteContainer) | 	 
+| `AuthenticationType` | `string` | The authentication method used to access the storage (for example, AccountKey, SAS, Oauth) | 	 
+| `AccountObjectId` | `string` | The unique identifier of the object is making the storage access | 	 
+| `AccountTenantId` | `long` | The unique identifier of the Azure tenant | 	 
+| `AccountApplicationId` | `string` | The application ID associated with the storage access | 	 
+| `AccountUpn` | `string` | The user principal name of the accessing user | 	 
+| `AccountType` | `long` | The account type used | 	 
+| `OperationsCount` | `int` | The total number of storage operations performed | 	 
+| `SuccessfulOperationsCount` | `int` | The count of successful storage operations | 	 
+| `FailedOperationsCount` | `int` | The count of failed storage operations | 	 
+| `FirstEventTimestamp` | `datetime` | The timestamp of the first observed operation in the aggregation period	| 	 
+| `LastEventTimestamp` | `datetime` | The timestamp of the last observed operation in the aggregation period | 	 
+| `TotalResponseLength` | `int` | The total response length of all GET operations during the aggregation period |
+| `SuccessfulReadOperations` | `int` | The count of successful read operations | 
+| `DistinctGetOperations` | `int` | The count of distinct GET operations performed | 
+| `AnonymousSuccessfulOperations` | `int` | The count of successful anonymous operations | 
+| `HasAnonymousResourceNotFoundFailures` | `bool` | Indicates whether anonymous resource not found failures occurred | 
+| `CountryName` | `string` | The name of the country from where the storage was accessed | 
+| `CityName` | `string` | The name of the city from where the storage was accessed | 
+| `ProvinceName` | `string` | The name of the province or state from where the storage was accessed | 
+| `ClientSystemServiceName` | `string` | The name of the system service is in the data center | 
+| `ClientCloudPlatformName` | `string` | The name of the cloud platform where the data center is located | 
+| `IsTorExitNode` | `bool` | Indicates whether the IP address is a Tor exit node | 
+| `IsKnownSuspiciousIp` | `bool` | Indicates whether the IP address is known to be suspicious | 
+| `IsPrivateIp` | `bool` | Indicates whether the IP address is private | 
+| `SuspiciousUserAgentName` | `string` | The name of the suspicious user agent accessing the storage | 
+| `HashReputationMd5List` | `object` | A list of MD5 hash reputations for the accessed resources | 
+| `AzureResourceId` | `string` | The Azure Resource ID of the storage account | 
+| `Location` | `string` | The location of the storage account (region) | 
+| `Timestamp` | `datetime` | Indicate the time when the record was generated | 
+| `ReportId` | `string` | GUID to identify the record in the specific table | 
+| `ActionType` | `string` | Type of action (aggregated logs) | 
+| `AdditionalFields` | `dynamic` | Additional information about the event in JSON array format | 
+
+
+## Sample queries
+
+To detect failed anonymous authentication attempts:
+
+```kusto
+CloudStorageAggregatedEvents
+| where FailedOperationsCount > 0
+| where AuthenticationType == "Anonymous"
+| project StorageAccount, FailedOperationsCount, OperationNamesList, AdditionalFields
+```
+
+To list unusual authentication methods used: 
+
+```kusto
+// Define a list of expected authentication types
+let ExpectedAuthTypes = dynamic(["AccountKey", "SAS", "Oauth"]);
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where not(AuthenticationType in (ExpectedAuthTypes))
+| summarize TotalOperations = sum(OperationsCount) by StorageAccount, AuthenticationType
+```
+To find storage accounts with a high number of failed operations: 
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| summarize TotalFailedOperations = sum(FailedOperationsCount) by StorageAccount
+| where TotalFailedOperations > 100
+| order by TotalFailedOperations desc
+```
+
+To monitor anonymous successful operations: 
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where AuthenticationType == "Anonymous" and SuccessfulOperationsCount > 0
+| project StorageAccount, SuccessfulOperationsCount, OperationNamesList, AdditionalFields
+```
+
+To detect access to sensitive containers or file shares:
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where AuthenticationType == "Anonymous" and SuccessfulOperationsCount > 0
+| project StorageAccount, SuccessfulOperationsCount, OperationNamesList, AdditionalFields
+```
+
+To detect suspicious file uploads with known malicious hashes:
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where isnotempty(Md5Hashes)
+| mv-expand HashReputation = Md5Hashes
+| extend HashDetails = parse_json(HashReputation)
+| project StorageAccount, AccountUpn, OperationNamesList, HashMd5 = HashDetails.md5Hash, ResourcePath = HashDetails.resourcePath, OperationType = HashDetails.operationType, ETag = HashDetails.etag
+```
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+

defender-xdr/advanced-hunting-schema-tables.md

@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 07/09/2025
+ms.date: 08/05/2025
 ---
 
 # Understand the advanced hunting schema
@@ -63,6 +63,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services |
 | **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** (Preview)| Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud |
 | **[CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md)** (Preview)| Cloud process events for various cloud platforms protected by the organization's Microsoft Defender for Containers |
+| **[CloudStorageAggregatedEvents](advanced-hunting-cloudstorageaggregatedevents-table.md)** (Preview)| Cloud storage activity and related events |
 | **[DataSecurityBehaviors](advanced-hunting-datasecuritybehaviors-table.md)** (Preview)| Insights about potentially suspicious user behaviors that violate user-defined or default policies configured in the Microsoft Purview suite of solutions|
 | **[DataSecurityEvents](advanced-hunting-datasecurityevents-table.md)** (Preview)| Information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions |
 | **[DeviceBaselineComplianceAssessment](advanced-hunting-devicebaselinecomplianceassessment-table.md)** (Preview) | Baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices |

defender-xdr/whats-new.md

@@ -41,6 +41,8 @@ You can also get product updates and important notifications through the [messag
     - You can now view the details pane even for analytics rules.
     - You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
 - (Preview) In advanced hunting, the number of [query results](advanced-hunting-query-results.md) displayed in the Microsoft Defender portal has been increased to 100,000. 
+- (Preview) The [`CloudStorageAggregatedEvents`](advanced-hunting-cloudstorageaggregatedevents-table.md) table in advanced hunting is now available for preview. This table contains information about storage activity and related events.
+- (Preview) Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see [Investigate behaviors with advanced hunting](/defender-cloud-apps/behaviors).
 
 ## July 2025
 - (Preview) The [`GraphApiAuditEvents`](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.