Activity for Cloud Access Security Broker applications

The Cloud Access Security Broker (CASB) discovery type represents applications like Microsoft Defender that offer security solutions to protect devices and private information from online threats.

User activity data collected for applications discovered through a CASB source is different compared to other SaaS connectors. CASB discovery identifies active users based on activity within a 7 or 30-day timeframe. After this period, users are considered inactive, and the Last active column in the table shows the approximate time range of their inactivity.

User activity is a prerequisite for usage metrics, subscription optimization, and insights. If you have Microsoft Defender applications installed in your IT estate, you must connect to the CASB discovery source that collects user activity in these applications. For more information on discovery sources, see SaaS discovery.