Policy management
MDCA allows you to ingest data through app connectors, depending on the connected app, data will be gathered into the activity logs. These activity logs can then be searched/filtered for single or repeated activities and when they match they can generate alerts in your environment. Once you have created or reviewed a policy for a while you can enable governance actions which may allow you to disable a user, mark a user as compromised, or other useful actions can be taken on them.
What I have described above is an activity policy, but MDCA contains other types of policies as well. All the possible policies are:
- Activity policy
- File policy
- App discovery policy
- Access policy
- Session policy
- OAuth app policy
Default policies
Microsoft includes some default policies, these can be disabled or deleted and no filter exists to find the default ones, as of 2024 I believe these are the default policies and their default states. I am sure this has changed over the course of a few years since MDCA was known by a different name so the default policies in your environment may be different.
| Policy | State | Type |
|---|---|---|
| Malware detection | Disabled | Unknown |
| Multiple delete VM activities | Disabled | Unknown |
| Suspicious inbox manipulation rule | Enabled | Unknown |
| Unusual administrative activity (by user) | Disabled | Unknown |
| Unusual file deletion activity (by user) | Disabled | Unknown |
| Activity from suspicious IP addresses | Enabled | Unknown |
| Activity from anonymous IP addresses | Enabled | Unknown |
| Unusual impersonated activity (by user) | Disabled | Unknown |
| Unusual file share activity (by user) | Disabled | Unknown |
| Activity performed by terminated user | Enabled | Unknown |
| Ransomware activity | Enabled | Unknown |
| Unusual file download (by user) | Disabled | Unknown |
| Impossible travel | Disabled | Unknown |
| Multiple failed login attempts | Disabled | Unknown |
| Suspicious inbox forwarding | Enabled | Unknown |
| Activity from infrequent country | Disabled | Unknown |
| Misleading publisher name for an OAuth app | Enabled | Unknown |
| Misleading OAuth app name | Enabled | Unknown |
| Multiple storage deletion activities | Enabled | Unknown |
| Suspicious Power BI report sharing | Disabled | Unknown |
| Suspicious email deletion activity (by user) | Enabled | Unknown |
| Suspicious change of CloudTrail logging service | Enabled | Unknown |
| Malicious OAuth app consent | Enabled | Unknown |
| Suspicious creation activity for cloud region | Enabled | Unknown |
| Suspicious OAuth app file download activities | Disabled | Unknown |
| Unusual addition of credentials to an OAuth app | Disabled | Unknown |
| Unusual ISP for an OAuth App | Enabled | Unknown |
| Suspicious file access activity (by user) | Enabled | Unknown |