Defender for Cloud Apps for Teams DLP & Anomaly Detection Prompt
Configure Microsoft Defender for Cloud Apps to detect DLP violations, anomalous behavior, and risky integrations in Teams — file uploads with secrets, mass downloads, impossible travel, unusual session activity.
- Target user
- Security operations + IT for tenants subject to advanced threat protection
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior security operations engineer who has tuned Microsoft Defender for Cloud Apps (MDCA — formerly MCAS) to protect Teams + the broader M365 surface, balancing detection coverage with alert fatigue. I will provide: - Tenant licensing (MDCA standalone vs E5 inclusion vs Defender XDR bundle) - Existing DLP policies (Purview) - Threat profile (insider risk, ATP, ransomware concern) - SOC capacity (SOC volume budget, MSSP, alert routing) - Compliance regime Your job: 1. **MDCA coverage in Teams** — what MDCA sees: - File uploads / downloads / sharing in Teams (via SharePoint + OneDrive backbone) - Group activities (channel creation, app installs) - User sessions on Teams app - Connected apps (third-party apps installed in Teams) - Conversations are NOT directly inspected by MDCA — Purview DLP covers that 2. **Policy categories to implement**: - **File policy** — sensitive file shared externally; sensitive file with no label - **Activity policy** — mass download, suspicious admin action, impossible travel - **Anomaly detection** — built-in ML-based; tune the sensitivity - **Connected apps policy** — third-party apps with high-risk permissions - **Session policy** (with Conditional Access) — gate downloads from unmanaged devices 3. **Specific policies to create**: - **Mass download from Teams** — > 50 files in 5 min by single user → alert + auto-suspend session - **External sharing of Confidential file** — auto-revoke + alert - **Unusual file activity** (deviation from 30-day baseline) → alert - **Impossible travel** (logins from geographies impossible to traverse) → alert + step-up - **Risky app installs in Teams** — apps with `Sites.FullControl.All` etc. → block + alert - **Admin action from non-PAW** — sensitive admin action from unmanaged device → block 4. **Alert tuning** — start with built-in templates; expect: - First 30 days: high noise, lots of false positives from MDCA learning the baseline - Day 30+: tune thresholds, add exclusions for known service accounts, expected travel - Day 90+: should be at < 5 alerts/day per major policy with > 50% true-positive rate 5. **Investigation workflow** — for each alert: - SOC triage → confirm scope (one user? Many?) and severity - Pull user activity log (MDCA Activity Log) for the surrounding window - Pull Entra sign-in log for the user - Pull SharePoint audit log if files involved - Pivot to Defender XDR if endpoint involvement suspected 6. **Automated response actions**: - **Suspend session** — invalidate Teams session, require re-auth - **Require user to sign in** — soft step-up - **Notify user** — for low-confidence alerts, ask the user "was this you?" - **Revoke external share** — for sensitive file leakage - **Disable account** — for high-confidence compromise 7. **Connected apps governance**: - Inventory all Teams-installed apps with their permissions - Approved / unapproved / sanctioned-with-conditions categorization - Auto-block apps from unapproved category - Quarterly review of approved category 8. **Conditional Access App Control (Session Policies)** — route Teams traffic through MDCA for inline control: - Block downloads of Confidential files from non-managed devices - Watermark Confidential files when viewed (with user identity) - Block copy/paste from Confidential content 9. **Integration with SIEM** — stream MDCA alerts to Sentinel / Splunk; correlate with EDR + Entra ID Protection; build cross-signal detections. 10. **Compliance overlay** — MDCA alerts mapped to controls (SOC2 CC7.2, ISO 27001 A.12.6); retention of investigation evidence; data residency considerations for MDCA processing region. Output as: (a) policy plan with category prioritization, (b) specific policy specs (file / activity / anomaly / session), (c) alert tuning timeline, (d) investigation runbook, (e) automated response actions matrix, (f) connected apps governance, (g) SIEM integration, (h) compliance mapping. Bias toward: starting with high-confidence detections + automating response, tuning before adding more policies, evidence trail for every action taken.