Merge pull request #2078 from gayasalomon/docs-editor/app-governance-anomaly-detecti-1733219420

aditisrivastava07 · web-flow · commit 7d816afc7fd3 · 2024-12-03T17:07:15.000+05:30
Update app-governance-anomaly-detection-alerts.md
diff --git a/CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md b/CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md
@@ -20,6 +20,31 @@ For more information, see [App governance in Microsoft Defender for Cloud Apps](
 > - [Access Microsoft Graph activity logs](/graph/microsoft-graph-activity-logs-overview)
 > - [Analyze activity logs using Log Analytics](/entra/identity/monitoring-health/howto-analyze-activity-logs-log-analytics)
 > 
+## General investigation steps
+
+### Finding App Governance Related Alerts
+
+To locate alerts specifically related to App Governance, navigate to the XDR portal Alerts page. In the alerts list, use the "Service/detection sources" field to filter alerts. Set the value of this field to "App Governance" to view all alerts generated by App Governance.
+
+### General Guidelines
+
+Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
+
+- Review the app severity level and compare with the rest of the apps in your tenant. This review helps you identify which Apps in your tenant pose the greater risk.
+- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information:
+
+  - Scopes granted access
+  - Unusual behavior  
+  - IP address and location
+    
+## Security alert classifications
+
+Following proper investigation, all app governance alerts can be classified as one of the following activity types:
+
+- **True positive (TP)**: An alert on a confirmed malicious activity.
+- **Benign true positive (B-TP)**: An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
+- **False positive (FP)**: An alert on a non-malicious activity.
+
 ## MITRE ATT&CK
 
 To make it easier to map the relationship between app governance alerts and the familiar MITRE ATT&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT&CK tactic. This extra reference makes it easier to understand the suspected attacks technique potentially in use when app governance alert is triggered.
@@ -38,25 +63,6 @@ This guide provides information about investigating and remediating app governan
 - [Exfiltration](#exfiltration-alerts)
 - [Impact](#impact-alerts)
 
-## Security alert classifications
-
-Following proper investigation, all app governance alerts can be classified as one of the following activity types:
-
-- **True positive (TP)**: An alert on a confirmed malicious activity.
-- **Benign true positive (B-TP)**: An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
-- **False positive (FP)**: An alert on a nonmalicious activity.
-
-## General investigation steps
-
-Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
-
-- Review the app severity level and compare with the rest of the apps in your tenant. This review helps you identify which Apps in your tenant pose the greater risk.
-- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information:
-
-  - Scopes granted access
-  - Unusual behavior  
-  - IP address and location
-
 ## Initial access alerts
 
 This section describes alerts indicating that a malicious app may be attempting to maintain their foothold in your organization.  
