You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/anomaly-detection-policy.md
+12-10Lines changed: 12 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,15 +32,6 @@ In addition to native Defender for Cloud Apps alerts, you'll also get the follow
32
32
33
33
These policies appear on the Defender for Cloud Apps policies page and can be enabled or disabled.
34
34
35
-
36
-
## Anomaly detection policies
37
-
38
-
You can see the anomaly detection policies in the Microsoft Defender Portal, by going to **Cloud Apps** -> **Policies** -> **Policy management**. Then choose **Anomaly detection policy** for the policy type.
39
-
40
-
:::image type="content" source="media/new-anomaly-detection-policies.png" alt-text="Screenshot showing how to filter anomaly detection policies.":::
41
-
42
-
The following anomaly detection policies are available:
43
-
44
35
> [!IMPORTANT]
45
36
> Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
46
37
>
@@ -52,6 +43,14 @@ The following anomaly detection policies are available:
52
43
>
53
44
> You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
54
45
46
+
## Anomaly detection policies
47
+
48
+
You can see the anomaly detection policies in the Microsoft Defender Portal, by going to **Cloud Apps** -> **Policies** -> **Policy management**. Then choose **Anomaly detection policy** for the policy type.
49
+
50
+
:::image type="content" source="media/new-anomaly-detection-policies.png" alt-text="Screenshot showing how to filter anomaly detection policies.":::
51
+
52
+
The following anomaly detection policies are available:
53
+
55
54
### Impossible travel
56
55
57
56
This detection identifies two user activities (in a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials. This detection uses a machine-learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user's activity pattern. The impossible travel detection identifies unusual and impossible user activity between two locations. The activity should be unusual enough to be considered an indicator of compromise and worthy of an alert. To make this work, the detection logic includes different levels of suppression to address scenarios that can trigger false positive, such as VPN activities, or activity from cloud providers that don't indicate a physical location. The [sensitivity slider](#tune-anomaly-detection-policies) allows you to affect the algorithm and define how strict the detection logic is. The higher the sensitivity level, fewer activities will be suppressed as part of the detection logic. In this way, you can adapt the detection according to your coverage needs and your SNR targets.
@@ -109,6 +108,7 @@ The detection looks for users whose accounts were deleted in Microsoft Entra ID,
109
108
110
109
> [!NOTE]
111
110
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Successful logon from a suspicious IP address**.
111
+
>
112
112
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
113
113
114
114
This detection identifies that users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account. This detection uses a machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
@@ -117,6 +117,7 @@ This detection identifies that users were active from an IP address identified a
117
117
118
118
> [!NOTE]
119
119
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Suspicious email forwarding rule created by third-party app**.
120
+
>
120
121
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
121
122
122
123
This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
@@ -127,7 +128,7 @@ This detection looks for suspicious email forwarding rules, for example, if a us
127
128
### Suspicious inbox manipulation rules
128
129
129
130
> [!NOTE]
130
-
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Suspicious inbox manipulation rule**.
131
+
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled.
131
132
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
132
133
133
134
This detection profiles your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This may indicate that the user's account is compromised, that messages are being intentionally hidden, and that the mailbox is being used to distribute spam or malware in your organization.
@@ -136,6 +137,7 @@ This detection profiles your environment and triggers alerts when suspicious rul
136
137
137
138
> [!NOTE]
138
139
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Suspicious email deletion activity**.
140
+
>
139
141
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
0 commit comments