Query Details

Microsoft Defender Cloud App Discovery → Microsoft Sentinel

Microsoft Defender Cloud App Discovery To Microsoft Log Analytics Table

Query

CloudAppRiskCatalog_CL
| getschema

About this query

Explanation

This guide helps you set up an automated system using Azure Logic Apps to manage and analyze data from Microsoft Defender for Cloud Apps. Here's a simplified summary:

  1. Purpose: The system automatically collects data about SaaS applications from Microsoft Defender for Cloud Apps and stores it in a custom table in Microsoft Sentinel. It focuses on apps related to AI and sends monthly email reports with this data.

  2. Components:

    • Azure Logic App: Automates the workflow, running daily to fetch and process data.
    • Managed Identity: Provides secure, passwordless access to necessary resources.
    • Log Analytics Workspace: Stores the collected data in a custom table named CloudAppRiskCatalog_CL.
  3. Setup Steps:

    • Create a Custom Table: Define a schema for storing app data.
    • Configure Logic App: Set up the Logic App to fetch data, filter it by AI categories, and store it in the custom table.
    • Assign Permissions: Use PowerShell to grant the Logic App necessary permissions to access Microsoft Graph API and Azure resources.
    • Email Reporting: Configure the Logic App to send a monthly email report with a CSV attachment of AI-related apps.
  4. Data Processing:

    • The Logic App retrieves app data daily and filters it to focus on AI-related categories.
    • It stores this data in the custom table and sends a monthly report via email.
  5. Verification and Troubleshooting:

    • Test the Logic App to ensure it runs correctly and verify data in Microsoft Sentinel.
    • Use provided KQL queries to analyze the data and troubleshoot any issues with permissions or data processing.
  6. KQL Queries: The guide includes various KQL queries to analyze the stored data, such as identifying high-risk apps, AI apps, and traffic statistics.

This setup helps automate the monitoring and reporting of SaaS applications, particularly those related to AI, enhancing security and compliance efforts.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 8, 2026

Tables

CloudAppRiskCatalog_CL

Keywords

MicrosoftDefenderCloudAppDiscoverySentinelAzureLogicSaaSDataGraphAPILogAnalyticsTableAICategoriesMonthlyEmailReportCSVAttachmentArchitectureOverviewPrerequisitesCustomCollectionEndpointRuleWorkspaceSubscriptionforAppsContributorOwnerRightsMailboxPowerShellAzModuleSampleJSONPortalTablesRulesEndpointsManagedIdentityMonitoringMetricsPublisherMailSendWorkflowCodeEditorStreamFilterTestandVerifyRunTriggerMonitorKQLQueriesAllLatestHighRiskOnlyTopbyTrafficperCategoryNewSinceLastWeekPiechartofAgentsTroubleshootingForbiddenIngestionTooManyRequestsAppearsinTakesLongRiskScoreNotesPeriodScheduleAuthentication

Operators

`|``where``summarize``arg_max``project``sort``asc``desc``take``count``has_any``top``by``round``todouble``let``ago``between``join``kind``leftanti``render``piechart``with``title``tolower``split``extend``coalesce``createArray``contains``or``equals``dayOfMonth``utcNow``base64``length``toint``has``has`.

Actions

GitHub