Merge pull request #5182 from MicrosoftDocs/main

[AutoPublish] main to live - 09/30 13:30 PDT | 10/01 02:00 IST

Author: m365-skilling-repo-management[bot]

defender-for-cloud-apps/app-governance-anomaly-detection-alerts.md

@@ -1,6 +1,6 @@
 ---
 title: Investigate app governance threat detection alerts | Microsoft Defender for Cloud Apps
-ms.date: 08/18/2025
+ms.date: 09/18/2025
 ms.topic: how-to
 ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
 description: Learn how to investigate threat detection alerts from app governance in Microsoft Defender XDR with Microsoft Defender for Cloud Apps.
@@ -1182,6 +1182,109 @@ This detection generates alerts for a multitenant cloud app that has been inacti
 1. Review all activities performed by the app.
 1. Review the scopes granted to the app.
 1. Review the user activity associated with the app.
+
+### Suspicious application actions potentially linked to a business email compromise (BEC) attempt
+
+**Severity**: Medium
+
+**MITRE IDs**: T1567, T1114
+
+**MITRE Techniques**: Collection, Exfiltration
+
+This alert identifies applications that exhibit strong similarity to known malicious apps involved in business email compromise related attempts. The similarity is determined by using a machine learning model that analyzes a wide range of application features such as metadata, publisher details, and activity patterns. Apps triggering this alert may have high-privilege mail permissions and could be sending spam or malicious emails to other recipients. This alert is based on global intelligence, so please validate if the behavior applies to your tenant as well.
+
+**TP or FP?**
+
+- **TP**: If you’re able to confirm that the consent request to the app was delivered from an unknown or external source and the app doesn't have a legitimate business use in the organization, then a true positive is indicated.
+
+  **Recommended action**:
+  - Contact users and admins who have granted consent to this app to confirm this was intentional and the excessive privileges are normal.
+  - Investigate app activity and check affected accounts for suspicious activity.
+  - Based on your investigation, disable the app and suspend and reset passwords for all affected accounts.
+  - Classify the alert as a true positive.
+
+- **FP**: If after investigation, you can confirm that the app has a legitimate business use in the organization, then a false positive is indicated.
+
+  **Recommended action**:
+  - Classify the alert as a false positive and consider sharing feedback based on your investigation of the alert.
+
+**Understand the scope of the breach**
+
+- Review consent grants to the application made by users and admins.
+- Investigate all activities done by the app, especially access to mailbox of associated users and admin accounts.
+- If you suspect that the app is suspicious, consider disabling the application and rotating credentials of all affected accounts.
+
+### Suspicious application with business email compromise (BEC) like characteristics and mail collection activity
+
+**Severity**: Medium
+
+**MITRE ID’s**: T1567, T1114
+
+**MITRE Techniques**: Collection, Exfiltration
+
+This alert detects applications that exhibit similarity to known malicious apps linked to business email compromise attempts. The similarity is determined by using a machine learning model that evaluates various features of the app, including metadata, publisher information, and activity patterns. Along with this similarity, the app has also carried out mail-related activities within the tenant. Apps that trigger this alert may have elevated mail related permissions and might be sending spam or harmful emails to other users. This alert is based on global intelligence, so please validate if the behavior applies to your tenant as well.
+
+**TP or FP?**
+
+- **TP**: If you’re able to confirm that the consent request to the app was delivered from an unknown or external source and the app doesn't have a legitimate business use in the organization, then a true positive is indicated.
+
+  **Recommended action**: Contact users and admins who have granted consent to this app to confirm this was intentional and the excessive privileges are normal. Investigate app activity and check affected accounts for suspicious activity. Based on your investigation, disable the app and suspend and reset passwords for all affected accounts. Classify the alert as a true positive.
+
+- **FP**: If after investigation, you can confirm that the app has a legitimate business use in the organization, then a false positive is indicated.
+
+  **Recommended action**: Classify the alert as a false positive and consider sharing feedback based on your investigation of the alert.
+
+**Understand the scope of the breach**
+
+Review consent grants to the application made by users and admins. Investigate all activities done by the app, especially access to mailbox of associated users and admin accounts. If you suspect that the app is suspicious, consider disabling the application and rotating credentials of all affected accounts.
+
+---
+
+### Suspicious application actions potentially linked to E5 subscription abuse attempt
+
+**Severity**: Medium
+
+**MITRE Techniques**: Collection
+
+This alert detects applications that exhibit strong similarity to known apps linked to E5 subscription abuse attempts. The similarity is determined by using a machine learning model that evaluates various features of the app, including metadata, publisher information, and activity patterns. Apps that trigger this alert may have elevated permissions and might be involved in abuse activities across Exchange and OneDrive workloads. This alert is based on global intelligence, so please validate if the behavior applies to your tenant as well.
+
+**TP or FP?**
+
+- **TP**: If you’re able to confirm that the consent and sign-in request to the app was delivered from an unknown or external source and the app doesn't have a legitimate business use in the organization, then a true positive is indicated.
+
+  **Recommended action**: Contact users and admins who have granted consent to this app to confirm this was intentional and the excessive privileges are normal. Investigate app activity and check affected accounts for suspicious activity. Based on your investigation, disable the app and suspend and reset passwords for all affected accounts. Classify the alert as a true positive.
+
+- **FP**: If after investigation, you can confirm that the app has a legitimate business use in the organization, then a false positive is indicated.
+
+  **Recommended action**: Classify the alert as a false positive and consider sharing feedback based on your investigation of the alert.
+
+**Understand the scope of the breach**
+
+Review consent grants to the application made by users and admins. Investigate all activities done by the app, especially access to mailbox and OneDrive of associated users and admin accounts. If you suspect that the app is suspicious, consider disabling the application and rotating credentials of all affected accounts.
+
+---
+
+### Suspicious application with E5 abuse similarity and mailbox rules activity
+
+**Severity**: Medium
+
+**MITRE Techniques**: Collection
+
+This alert detects applications that exhibit strong similarity to known apps linked to E5 subscription abuse attempts. The similarity is determined by using a machine learning model that evaluates various features of the app, including metadata, publisher information, and activity patterns. Along with this similarity, the app has also carried out mailbox rules related activities within the tenant. Apps that trigger this alert may have elevated permissions and might be involved in abuse activities across Exchange and OneDrive workloads. This alert is based on global intelligence, so please validate if the behavior applies to your tenant as well.
+
+**TP or FP?**
+
+- **TP**: If you’re able to confirm that the consent and sign-in request to the app was delivered from an unknown or external source, the mailbox rule creation is not legitimate, and the app does not have a valid business use in the organization, then a true positive is indicated.
+
+  **Recommended action**: Contact users and admins who have granted consent to this app to confirm this was intentional and the excessive privileges are normal. Investigate the app’s activity, mailbox rule creation, and review affected accounts for any suspicious behavior. Based on your investigation, disable the app and suspend and reset passwords for all affected accounts. Classify the alert as a true positive.
+
+- **FP**: If after investigation, you can confirm that the app has a legitimate business use in the organization, then a false positive is indicated.
+
+  **Recommended action**: Classify the alert as a false positive and consider sharing feedback based on your investigation of the alert.
+
+**Understand the scope of the breach**
+
+Review consent grants to the application made by users and admins. Investigate all activities done by the app, especially access to mailbox and OneDrive of associated users and admin accounts. If you suspect that the app is suspicious, consider disabling the application and rotating credentials of all affected accounts.
 
 ## Impact alerts
 

defender-for-identity/deploy/media/prerequisites-sensor-version-3/new-rule.png

@@ -33,7 +33,7 @@ For more information, see [Licensing and privacy FAQs](/defender-for-identity/te
 - To create your Defender for Identity workspace, you need a Microsoft Entra ID tenant.
 - You must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following [Unified RBAC](../role-groups.md#unified-role-based-access-control-rbac) permissions:
     - `System settings (Read and manage)`
-    - `Security setting (All permissions)`
+    - `Security settings (All permissions)`
 
 ## Sensor requirements and recommendations
 
@@ -62,14 +62,18 @@ The following table describes memory requirements on the server used for the Def
 
 > [!IMPORTANT]
 > When running as a virtual machine, all memory must be allocated to the virtual machine at all times.
-## Configure Unified Sensor to support advanced identity detections
+
+## Configure Unified Sensor to support advanced identity detections (Preview)
 
 Applying the **Unified Sensor RPC Audit** tag enables a new, tested capability on the machine, improving security visibility and unlocking additional identity detections. Once applied, the configuration is enforced on **existing and future devices** that match the rule criteria. The tag itself is visible in the Device Inventory, providing admins with transparency and auditing capabilities.
 
 **Steps to apply the configuration:**
 
 1. In the **Microsoft Defender portal**, navigate to: **System > Settings > Microsoft Defender XDR > Asset Rule Management**.
-2. Create a new rule.
+1. Create a new rule.  
+
+ ![Screenshot that shows how to add a new rule.](media/prerequisites-sensor-version-3/new-rule.png)
+
 3. In the side panel:
 
    1. Select a **name** for the rule.
@@ -80,9 +84,11 @@ Applying the **Unified Sensor RPC Audit** tag enables a new, tested capability o
 
    1. Matching should primarily target **domain controllers** with the V3.x sensor installed.
 
-1. **Add the tag** `Unified Sensor RPC Audit` to the selected devices.  
+1. **Add the tag** `Unified Sensor RPC Audit` to the selected devices.    
+
+ ![Screenshot that shows the config tag.](media/prerequisites-sensor-version-3/tag.png)
 
-1. Click **Submit** to save the rule.
+5. Click **Submit** to save the rule.
 
    Offboarding a device from this configuration can be done by **deleting the asset rule** or **modifying the rule conditions** so the device no longer matches.