Overview

SCU Cost Estimate This agent typically consumes 0.1 – 0.8 SCUs per analysis run, depending on the number of domains discovered, enrichment depth, and lookback window. Larger tenants with extensive SaaS usage or deep threat intelligence correlation may consume more SCUs.

Introduction

Cloud App Activity Profiler helps organizations take control of their SaaS footprint by automatically discovering, profiling, and assessing risk from new or high-volume cloud applications observed in Microsoft Defender for Cloud Apps activity data.

The agent correlates activity telemetry, alert evidence, and threat intelligence to create a unified, evidence-based domain risk assessment. Each discovered domain receives a governance recommendation, ALLOW, MONITOR, or BLOCK, along with a short, repeatable operational playbook for consistent decision-making across your security team.

What It Does

• Automatically discovers newly observed and high-volume SaaS domains

• Correlates activity and alert data to surface risky or suspicious domains

• Enriches findings with threat intelligence indicators and reputation flags

• Calculates composite domain risk scores and assigns governance actions

• Generates a structured operational playbook for week-to-week consistency

• Identifies enrichment and telemetry coverage gaps for improvement

Use Cases

1. Detecting Shadow IT and Unsanctioned SaaS

New domains can appear in your environment without formal review or policy coverage. The agent continuously scans Cloud App activity to discover emerging SaaS services and flags them for governance evaluation, helping you identify Shadow IT before it becomes a security concern.

2. Correlating Exfiltration and Upload Bursts

Large data uploads often indicate potential exfiltration attempts. The agent automatically correlates high-volume uploads with associated alerts and domain reputations, giving analysts a complete picture of the risk in context.

3. Prioritizing Governance Actions

Instead of generic lists of discovered apps, the agent provides clear, actionable recommendations. Domains are categorized into ALLOW, MONITOR, or BLOCK, supported by transparent reasoning and supporting evidence.

4. Streamlining Weekly Governance Reviews

Security and compliance teams often spend hours reviewing new SaaS activity. The agent compiles a concise weekly playbook that summarizes new discoveries, risk levels, and recommended actions, reducing review time while improving consistency.

5. Improving Threat Visibility and Telemetry Coverage

By highlighting missing enrichment data or unmonitored sources, the agent provides concrete guidance on how to strengthen visibility across Cloud App events, alerts, and threat intelligence.

Why Cloud App Activity Profiler?

Challenges It Solves

• Shadow or unsanctioned SaaS domains appear without review or policy enforcement

• Large uploads lack cross-source correlation and context

• Threat intelligence coverage gaps obscure domain risk

• Manual triage across telemetry sources is slow and inconsistent

• Fragmented data prevents timely governance decisions

Benefits You Get

• Continuous discovery and classification of new SaaS domains

• Consolidated intelligence combining activity, alerts, and threat data

• Clear governance recommendations (ALLOW / MONITOR / BLOCK) with justification

• Transparent enrichment gap analysis to guide telemetry improvements

• Consistent weekly operational playbook that standardizes decision processes

How It Works

What Goes In

• Cloud App activity logs (domain discovery, upload volume, exfiltration heuristics)

• Security alerts and alert evidence with related tactics and indicators

• Threat intelligence indicators for domain reputation and categorization

• (Optional) Directory and user data for normalization and user activity counts

What It Does

• Discovers new and high-volume SaaS domains from Cloud App activity

• Correlates domain data with alerts and threat intelligence signals

• Computes composite domain risk scores and classifies them into risk bands (Green, Yellow, Red)

• Generates governance recommendations for ALLOW, MONITOR, or BLOCK decisions

• Compiles a 7-day operational playbook for continuous governance tracking

What You Get

• Executive summary highlighting key trends and discoveries

• Prioritized domain list with risk bands (Green, Yellow, Red)

• Evidence-based governance actions with reasoning and context

• Enrichment gap summary to improve telemetry visibility

• Short operational playbook with recommended next steps and review cadence