MicrosoftCloudAppSecurity

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.

Authentication & Identity Management · Microsoft Defender for Cloud Apps

Configuration parameters

  • auth_mode — Authentication Mode
  • endpoint_type — Endpoint Type
  • url — Server URL (e.g., https://yourdomain.eu2.portal.cloudappsecurity.com) (required)
  • creds_token
  • token — User's key to access the API (for legacy method)
  • app_id — Application ID
  • tenant_id — Tenant ID (for Client Credentials mode)
  • client_id
  • isFetch — Fetch incidents
  • incidentType — Incident type
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • severity — Incident severity
  • max_fetch — Maximum alerts to fetch
  • first_fetch — First fetch time
  • resolution_status — Incident resolution status
  • custom_filter — Custom Filter
  • look_back — Advanced: Minutes to look back when fetching

Commands (13)

  • microsoft-cas-activities-list

    Returns a list of activities that match the specified filters. In case of timeout errors, please consider increasing the timeout argument.

  • microsoft-cas-alert-close-benign

    An alert on a suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.

  • microsoft-cas-alert-close-false-positive

    Close multiple alerts matching the specified filters as false positive (an alert on a non-malicious activity).

  • microsoft-cas-alert-close-true-positive

    Close multiple alerts matching the specified filters as true positive (an alert on a confirmed malicious activity.

  • microsoft-cas-alert-dismiss-bulk Deprecated

    Deprecated. Use one of the alert-close commands instead. Dismisses multiple alerts (bulk dismiss) that match the specified filters.

  • microsoft-cas-alert-resolve-bulk Deprecated

    Deprecated. Use one of the alert-close commands instead. Resolves multiple alerts (bulk resolve) that match the specified filters. Filters include origin IP address, IP subnet category, action taken on the activity, source type, or a custom filter.

  • microsoft-cas-alerts-list

    Returns a list of alerts that match the specified filters.

  • microsoft-cas-auth-complete

    Run this command to complete the authorization process. Should be used after running the microsoft-365-defender-auth-start command. (for device-code mode).

  • microsoft-cas-auth-reset

    Run this command if for some reason you need to rerun the authentication process.

  • microsoft-cas-auth-start

    Run this command to start the authorization process and follow the instructions in the command results. (for device-code mode).

  • microsoft-cas-auth-test

    Tests the connectivity to the Microsoft 365 Defender.

  • microsoft-cas-files-list

    Returns a list of files that match the specified filters. Filters include file type, file share value, file extension, file quarantine status, and a custom filter. If you pass the custom_filter argument it will override the other filters in this command. This command is supported only when using the legacy authentication.

  • microsoft-cas-users-accounts-list

    Returns a list of user accounts that match the specified filters. Filters include user account type, group ID, external/internal, user account status, and custom filter. The accounts object schema includes information about how users and accounts use your organization's cloud apps.