# Overview

> **SCU Cost Estimate**\
> This agent typically consumes **0.1 – 0.8 SCUs per analysis run**, depending on the number of domains discovered, enrichment depth, and lookback window. Larger tenants with extensive SaaS usage or deep threat intelligence correlation may consume more SCUs.

### Introduction

**Cloud App Activity Profiler** helps organizations take control of their SaaS footprint by automatically discovering, profiling, and assessing risk from new or high-volume cloud applications observed in Microsoft Defender for Cloud Apps activity data.

The agent correlates activity telemetry, alert evidence, and threat intelligence to create a unified, evidence-based domain risk assessment. Each discovered domain receives a governance recommendation, **ALLOW**, **MONITOR**, or **BLOCK,** along with a short, repeatable operational playbook for consistent decision-making across your security team.

<figure><img src="/files/TVAH0uOLjGXT8qn3NHie" alt=""><figcaption></figcaption></figure>

<div><figure><img src="/files/TVAH0uOLjGXT8qn3NHie" alt=""><figcaption></figcaption></figure> <figure><img src="/files/P7qCtqgUX0pwSpTInTNn" alt=""><figcaption></figcaption></figure> <figure><img src="/files/Qo8C8LfPdtJ2V7pMPzjY" alt=""><figcaption></figcaption></figure> <figure><img src="/files/nxqI4v2BiKiJrLd0YoWZ" alt=""><figcaption></figcaption></figure></div>

***

### What It Does

* Automatically discovers newly observed and high-volume SaaS domains
* Correlates activity and alert data to surface risky or suspicious domains
* Enriches findings with threat intelligence indicators and reputation flags
* Calculates composite domain risk scores and assigns governance actions
* Generates a structured operational playbook for week-to-week consistency
* Identifies enrichment and telemetry coverage gaps for improvement

***

### Use Cases

#### 1. **Detecting Shadow IT and Unsanctioned SaaS**

New domains can appear in your environment without formal review or policy coverage. The agent continuously scans Cloud App activity to discover emerging SaaS services and flags them for governance evaluation, helping you identify Shadow IT before it becomes a security concern.

#### 2. **Correlating Exfiltration and Upload Bursts**

Large data uploads often indicate potential exfiltration attempts. The agent automatically correlates high-volume uploads with associated alerts and domain reputations, giving analysts a complete picture of the risk in context.

#### 3. **Prioritizing Governance Actions**

Instead of generic lists of discovered apps, the agent provides clear, actionable recommendations. Domains are categorized into ALLOW, MONITOR, or BLOCK, supported by transparent reasoning and supporting evidence.

#### 4. **Streamlining Weekly Governance Reviews**

Security and compliance teams often spend hours reviewing new SaaS activity. The agent compiles a concise weekly playbook that summarizes new discoveries, risk levels, and recommended actions, reducing review time while improving consistency.

#### 5. **Improving Threat Visibility and Telemetry Coverage**

By highlighting missing enrichment data or unmonitored sources, the agent provides concrete guidance on how to strengthen visibility across Cloud App events, alerts, and threat intelligence.

***

### Why Cloud App Activity Profiler?

#### Challenges It Solves

* Shadow or unsanctioned SaaS domains appear without review or policy enforcement
* Large uploads lack cross-source correlation and context
* Threat intelligence coverage gaps obscure domain risk
* Manual triage across telemetry sources is slow and inconsistent
* Fragmented data prevents timely governance decisions

#### Benefits You Get

* Continuous discovery and classification of new SaaS domains
* Consolidated intelligence combining activity, alerts, and threat data
* Clear governance recommendations (ALLOW / MONITOR / BLOCK) with justification
* Transparent enrichment gap analysis to guide telemetry improvements
* Consistent weekly operational playbook that standardizes decision processes

***

### How It Works

#### What Goes In

* Cloud App activity logs (domain discovery, upload volume, exfiltration heuristics)
* Security alerts and alert evidence with related tactics and indicators
* Threat intelligence indicators for domain reputation and categorization
* (Optional) Directory and user data for normalization and user activity counts

#### What It Does

* Discovers new and high-volume SaaS domains from Cloud App activity
* Correlates domain data with alerts and threat intelligence signals
* Computes composite domain risk scores and classifies them into risk bands (Green, Yellow, Red)
* Generates governance recommendations for ALLOW, MONITOR, or BLOCK decisions
* Compiles a 7-day operational playbook for continuous governance tracking

#### What You Get

* Executive summary highlighting key trends and discoveries
* Prioritized domain list with risk bands (Green, Yellow, Red)
* Evidence-based governance actions with reasoning and context
* Enrichment gap summary to improve telemetry visibility
* Short operational playbook with recommended next steps and review cadence


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/cloud-app-activity-profiler/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.