Microsoft Defender for Cloud Apps cloud discovery works by analyzing web traffic logs to identify and assess cloud applications (Shadow IT) being used in your organization. The process typically involves these steps:

 

Collect traffic logs: The first and most critical step is to get the necessary data. This data comes from your network firewall or proxy. You need to gather web traffic logs from these on-premises appliances.

Upload logs: You then need to upload these logs to Defender for Cloud Apps. There are two primary methods:

• Manual log upload: You can manually upload the logs in a snapshot report to get a one-time analysis.

• Automatic log upload: For continuous monitoring, you configure a log collector on your network that automatically forwards the logs to the service.

Analyze and report: Once the logs are uploaded, Defender for Cloud Apps parses and analyzes them against its cloud app catalog to identify discovered apps, assess their risk scores, and generate reports.