MicrosoftCloudAppSecurity
Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.
Authentication & Identity Management · Microsoft Defender for Cloud Apps
Configuration parameters
auth_mode— Authentication Modeendpoint_type— Endpoint Typeurl— Server URL (e.g., https://yourdomain.eu2.portal.cloudappsecurity.com) (required)creds_token—token— User's key to access the API (for legacy method)app_id— Application IDtenant_id— Tenant ID (for Client Credentials mode)client_id—isFetch— Fetch incidentsincidentType— Incident typeinsecure— Trust any certificate (not secure)proxy— Use system proxy settingsseverity— Incident severitymax_fetch— Maximum alerts to fetchfirst_fetch— First fetch timeresolution_status— Incident resolution statuscustom_filter— Custom Filterlook_back— Advanced: Minutes to look back when fetching
Commands (13)
-
microsoft-cas-activities-listReturns a list of activities that match the specified filters. In case of timeout errors, please consider increasing the timeout argument.
-
microsoft-cas-alert-close-benignAn alert on a suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
-
microsoft-cas-alert-close-false-positiveClose multiple alerts matching the specified filters as false positive (an alert on a non-malicious activity).
-
microsoft-cas-alert-close-true-positiveClose multiple alerts matching the specified filters as true positive (an alert on a confirmed malicious activity.
-
microsoft-cas-alert-dismiss-bulkDeprecatedDeprecated. Use one of the alert-close commands instead. Dismisses multiple alerts (bulk dismiss) that match the specified filters.
-
microsoft-cas-alert-resolve-bulkDeprecatedDeprecated. Use one of the alert-close commands instead. Resolves multiple alerts (bulk resolve) that match the specified filters. Filters include origin IP address, IP subnet category, action taken on the activity, source type, or a custom filter.
-
microsoft-cas-alerts-listReturns a list of alerts that match the specified filters.
-
microsoft-cas-auth-completeRun this command to complete the authorization process. Should be used after running the microsoft-365-defender-auth-start command. (for device-code mode).
-
microsoft-cas-auth-resetRun this command if for some reason you need to rerun the authentication process.
-
microsoft-cas-auth-startRun this command to start the authorization process and follow the instructions in the command results. (for device-code mode).
-
microsoft-cas-auth-testTests the connectivity to the Microsoft 365 Defender.
-
microsoft-cas-files-listReturns a list of files that match the specified filters. Filters include file type, file share value, file extension, file quarantine status, and a custom filter. If you pass the custom_filter argument it will override the other filters in this command. This command is supported only when using the legacy authentication.
-
microsoft-cas-users-accounts-listReturns a list of user accounts that match the specified filters. Filters include user account type, group ID, external/internal, user account status, and custom filter. The accounts object schema includes information about how users and accounts use your organization's cloud apps.