You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/investigate-anomaly-alerts.md
+27Lines changed: 27 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,6 +11,17 @@ ms.topic: how-to
11
11
12
12
Microsoft Defender for Cloud Apps provides security detections and alerts for malicious activities. The purpose of this guide is to provide you with general and practical information on each alert, to help with your investigation and remediation tasks. Included in this guide is general information about the conditions for triggering alerts. However, it's important to note that since anomaly detections are nondeterministic by nature, they're only triggered when there's behavior that deviates from the norm. Finally, some alerts might be in preview, so regularly review the official documentation for updated alert status.
13
13
14
+
> [!IMPORTANT]
15
+
> Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
16
+
>
17
+
> - Activity from suspicious IP addresses
18
+
> - Suspicious inbox manipulation rules
19
+
> - Suspicious email deletion activity
20
+
> - Activity from anonymous IP addresses
21
+
> - Suspicious inbox forwarding
22
+
>
23
+
> You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
24
+
14
25
## MITRE ATT\&CK
15
26
16
27
To explain and make it easier to map the relationship between Defender for Cloud Apps alerts and the familiar MITRE ATT\&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT\&CK tactic. This extra reference makes it easier to understand the suspected attacks technique potentially in use when a Defender for Cloud Apps alert is triggered.
@@ -52,6 +63,9 @@ This section describes alerts indicating that a malicious actor might be attempt
52
63
53
64
### Activity from anonymous IP address
54
65
66
+
> [!NOTE]
67
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Activity from a TOR IP address** and **Anonymous proxy activity**.
68
+
55
69
**Description**
56
70
57
71
Activity from an IP address that has been identified as an anonymous proxy IP address by Microsoft Threat Intelligence or by your organization. These proxies can be used to hide a device's IP address and might be used for malicious activities.
@@ -101,6 +115,9 @@ Detecting anomalous locations requires an initial learning period of seven days
101
115
102
116
### Activity from suspicious IP addresses
103
117
118
+
> [!NOTE]
119
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Successful logon from a suspicious IP address**.
120
+
104
121
Activity from an IP address that has been identified as risky by Microsoft Threat Intelligence or by your organization. These IP addresses were identified as being involved in malicious activities, such as performing password spray, botnet command and control (C&C), and might indicate a compromised account.
105
122
106
123
**TP**, **B-TP**, or **FP**?
@@ -317,6 +334,9 @@ Activities in a single session indicating that, a user performed suspicious chan
317
334
318
335
### Suspicious email deletion activity (by user)
319
336
337
+
> [!NOTE]
338
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email deletion activity**.
339
+
320
340
Activities in a single session indicating that, a user performed suspicious email deletions. The deletion type was the "hard delete" type, which makes the email item deleted and not available in the user's mailbox. The deletion was made from a connection that includes uncommon preferences such as ISP, country/region, and user agent. This can indicate an attempted breach of your organization, such as attackers attempting to mask operations by deleting emails related to spam activities.
321
341
322
342
**TP**, **B-TP**, or **FP**?
@@ -340,6 +360,10 @@ Activities in a single session indicating that, a user performed suspicious emai
340
360
341
361
### Suspicious inbox manipulation rule
342
362
363
+
> [!NOTE]
364
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model.
365
+
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
366
+
343
367
Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. Manipulation rules, such as deleting or moving messages, or folders, from a user's inbox might be an attempt to exfiltrate information from your organization. Similarly, they can indicate an attempt to manipulate information that a user sees or to use their inbox to distribute spam, phishing emails, or malware. Defender for Cloud Apps profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. This might indicate that the user's account is compromised.
344
368
345
369
**TP**, **B-TP**, or **FP**?
@@ -538,6 +562,9 @@ This section describes alerts indicating that a malicious actor might be attempt
538
562
539
563
### Suspicious inbox forwarding
540
564
565
+
> [!NOTE]
566
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email forwarding rule created by third-party app**.
567
+
541
568
Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. Manipulation rules, such as forward all or specific emails to another email account might be an attempt to exfiltrate information from your organization. Defender for Cloud Apps profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. This might indicate that the user's account is compromised.
0 commit comments