Cloud App Security Log Uploads

Start course

This course explores Microsoft Cloud App Security, including what it is, what it offers, and how it's configured. You'll learn about Cloud Discovery and how to configure Microsoft Cloud App Security. You’ll learn about access policies, policy templates, and how to manage OAuth apps, before diving into Cloud App Security log uploads.

We'll also look at app connectors and at the Cloud App Catalog before moving on to the Cloud App Security dashboard and ways to manage alerts. Finally, we'll cover data management reports.

Learning Objectives

  • Get a solid understanding of Microsoft Cloud App Security including what it is, what it offers, and how it's configured
  • Learn how to set up access policies and access templates
  • Learn how to manage OAuth apps and Cloud App Security uploads
  • Understand how app connectors and the Cloud App Catalog add security to your apps
  • Learn about Cloud App Security dashboard, how to manage alerts, and how to generate management reports

Intended Audience

This course is intended for those who wish to learn how to use Cloud App Security in Microsoft 365.


To get the most out of this course, you should already have some basic knowledge of Microsoft 365.


When using Cloud App Security, log collectors are used to automate the upload of logs from your network to Cloud App Security. Log collectors that are deployed to the network can receive logs via Syslog or via FTP. The logs that are collected are then processed, compressed, and transmitted to the portal. FTP logs are immediately uploaded to Microsoft Cloud App Security after being FTP’d to the Log Collector. Syslogs, however, are first written to disk by the Log Collector. Once the file size of the written logs hits 40KB, the collector then uploads them to Cloud App Security.

Once a log gets uploaded to Cloud App Security, it's moved to a backup directory, which stores the last 20 logs. That being the case, as new logs arrive, older logs are deleted. 

Before you set up automatic log file collection, you need to ensure that your log matches the expected log type. This is important because you need to ensure that Cloud App Security can parse the log files being pushed into it.

Since Cloud Discovery uses the data in your traffic logs to provide visibility, you want your traffic logs to be as detailed as possible. For example, Cloud Discovery requires that web traffic data include the attributes that you see on your screen.

As you would expect, Cloud Discovery can't analyze attributes that aren't included in your logs. Take, for example, a Cisco ASA Firewall. In a Cisco ASA Firewall, the standard log format doesn't show the number of uploaded bytes per transaction. Nor does it show the username for the transaction, nor the target URL. That being the case, this information will obviously be missing from the Cloud Discovery data for these logs. This, in turn, results in limited visibility into the cloud apps in use. 


So, the key takeaway here is that Cloud App Security and Cloud Discovery rely on log uploads to provide visibility into the cloud apps in use in your environment. The more detailed the reports, the more visibility you get.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.