Skip to main content

Microsoft Cloud App Security

This Integration is part of the Microsoft Cloud App Security Pack.#

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts. This integration was integrated and tested with version 178 of MicrosoftCloudAppSecurity.

For more details about how to generate a new token, see Microsoft Cloud App Security - Managing API tokens.

For more information about which permissions are required for the token owner in Microsoft Cloud App Security, see Microsoft Cloud App Security - Manage admin access.

Configure MicrosoftCloudAppSecurity on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for MicrosoftCloudAppSecurity.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g., https://example.net\)True
    User's key to access the APITrue
    Fetch incidentsFalse
    Incident typeFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Incident severityFalse
    Maximum alerts to fetchFalse
    First fetch timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Incident resolution statusFalse
    Custom FilterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. An example of a Custom Filter is: {"severity":{"eq":2}}. Note that for filtering by "entity.policy", you should use the ID of the policy. For example, for retrieving the policy: {"policyType": "ANOMALY_DETECTION", "id": "1234", "label": "Impossible travel", "type": "policyRule"}" please query on {"entity.policy":{"eq":1234}}. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-alerts\#filters.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

microsoft-cas-alerts-list#


Returns a list of alerts that match the specified filters.

Base Command#

microsoft-cas-alerts-list

Input#

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitThe maximum number of records to return. Default is 50. Default is 50.Optional
severityThe severity of the alert. Possible values are: "Low", "Medium", and "High". Possible values are: Low, Medium, High.Optional
resolution_statusThe alert resolution status. Possible values are: "Open", "Dismissed", and "Resolved". Possible values are: Open, Dismissed, Resolved.Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-alerts#filters.Optional
alert_idThe alert ID.Optional

Context Output#

PathTypeDescription
MicrosoftCloudAppSecurity.Alerts._idStringThe alert ID.
MicrosoftCloudAppSecurity.Alerts.timestampDateThe time the alert was created.
MicrosoftCloudAppSecurity.Alerts.policyRule.idStringThe ID of the rule that triggered the alert.
MicrosoftCloudAppSecurity.Alerts.policyRule.labelStringThe label of the rule that triggered the alert.
MicrosoftCloudAppSecurity.Alerts.policyRule.typeStringThe type of rule that triggered the alert.
MicrosoftCloudAppSecurity.Alerts.policyRule.policyTypeStringThe policy type of the rule that triggered the alert.
MicrosoftCloudAppSecurity.Alerts.service.idNumberThe cloud service ID.
MicrosoftCloudAppSecurity.Alerts.service.labelStringThe cloud service name.
MicrosoftCloudAppSecurity.Alerts.service.typeStringThe cloud service type.
MicrosoftCloudAppSecurity.Alerts.file.idStringThe ID of the alert file.
MicrosoftCloudAppSecurity.Alerts.file.labelStringTHe label of the alert file.
MicrosoftCloudAppSecurity.Alerts.file.typeStringThe alert file type.
MicrosoftCloudAppSecurity.Alerts.user.idStringThe ID of the user who received the alert.
MicrosoftCloudAppSecurity.Alerts.user.labelStringThe label of the user who received the alert.
MicrosoftCloudAppSecurity.Alerts.user.typeStringThe type of the user who received the alert.
MicrosoftCloudAppSecurity.Alerts.country.idStringThe country ID where the alert originated.
MicrosoftCloudAppSecurity.Alerts.country.labelStringThe country label where the alert originated.
MicrosoftCloudAppSecurity.Alerts.country.typeStringThe country type where the alert originated.
MicrosoftCloudAppSecurity.Alerts.ip.idStringThe IP address where the alert came.
MicrosoftCloudAppSecurity.Alerts.ip.labelStringThe IP label where the alert came.
MicrosoftCloudAppSecurity.Alerts.ip.typeStringThe IP type where the alert came.
MicrosoftCloudAppSecurity.Alerts.ip.triggeredAlertBooleanWhether this IP address triggered the alert.
MicrosoftCloudAppSecurity.Alerts.account.idStringThe ID of the account that received the alert.
MicrosoftCloudAppSecurity.Alerts.account.labelStringThe label of the account that received the alert.
MicrosoftCloudAppSecurity.Alerts.account.typeStringThe type of the account that received the alert.
MicrosoftCloudAppSecurity.Alerts.account.instNumberThe instance of the account that received the alert.
MicrosoftCloudAppSecurity.Alerts.account.saasNumberThe service of the account that received the alert.
MicrosoftCloudAppSecurity.Alerts.account.paStringThe email of the account that received the alert.
MicrosoftCloudAppSecurity.Alerts.account.entityTypeNumberThe entity type of the account that received the alert.
MicrosoftCloudAppSecurity.Alerts.titleStringThe title of the alert.
MicrosoftCloudAppSecurity.Alerts.descriptionStringThe description of the alert.
MicrosoftCloudAppSecurity.Alerts.policy.idStringThe ID of the reason (policy) that explains why the alert was triggered.
MicrosoftCloudAppSecurity.Alerts.policy.labelStringThe label of the reason (policy) that explains why the alert was triggered.
MicrosoftCloudAppSecurity.Alerts.policy.policyTypeStringThe policy type of the reason (policy) that explains why the alert was triggered.
MicrosoftCloudAppSecurity.Alerts.threatScoreNumberThe threat score of the alert.
MicrosoftCloudAppSecurity.Alerts.isSystemAlertBooleanWhether it is a system alert.
MicrosoftCloudAppSecurity.Alerts.statusValueNumberThe status value of the alert.
MicrosoftCloudAppSecurity.Alerts.severityValueNumberThe severity value of the alert.
MicrosoftCloudAppSecurity.Alerts.handledByUserStringThe user who handled the alert.
MicrosoftCloudAppSecurity.Alerts.commentStringThe comment relating to the alert.
MicrosoftCloudAppSecurity.Alerts.resolveTimeDateThe date/time that the alert was resolved.

Command Example#

``!microsoft-cas-alerts-list custom_filter={"filters": {"date": {"gte_ndays":30}}, "limit": "3"}````

Context Example#

{
"MicrosoftCloudAppSecurity": {
"Alerts": [
{
"URL": "https://example.portal.cloudappsecurity.com/#/alerts/60edead2cdbeaf0b87e13377",
"_id": "60edead2cdbeaf0b87e13377",
"account": [
{
"entityType": 2,
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"inst": 0,
"label": "John Example",
"pa": "john@example.onmicrosoft.com",
"saas": 11161,
"type": "account"
}
],
"contextId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"country": [
{
"id": "IL",
"label": "IL",
"type": "country"
},
{
"id": "NL",
"label": "NL",
"type": "country"
}
],
"description": "<p>The user John Example (john@example.onmicrosoft.com) perform failed sign in activities from remote locations that are considered an impossible travel activity.<br/>The user performed failed sign in activities from 1.2.3.6 in Netherlands and 1.2.3.4 in Israel within 96 minutes.<br/>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
"evidence": [
{
"title": {
"parameters": {
"app": "Office 365"
},
"template": "ANUBIS_ADMIN_USER_FEATURE"
}
},
{
"title": {
"parameters": {
"mitre": {
"alternateLink": "https://go.microsoft.com/fwlink/?linkid=2135034",
"label": "MITRE",
"type": "link"
},
"tactic": "INITIAL_ACCESS"
},
"template": "ALERTS_MITRE_TACTIC"
}
}
],
"idValue": 15859716,
"intent": [
2
],
"ip": [
{
"id": "1.2.3.4",
"label": "1.2.3.4",
"type": "ip"
},
{
"id": "1.2.3.5",
"label": "1.2.3.5",
"type": "ip"
}
],
"isPreview": false,
"isSystemAlert": false,
"is_open": true,
"policyRule": [
{
"id": "5e6fa96cb5172297ca756554",
"label": "Impossible travel",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
}
],
"resolutionStatusValue": 0,
"service": [
{
"id": 20893,
"label": "Microsoft Exchange Online",
"type": "service"
},
{
"id": 11161,
"label": "Office 365",
"type": "service"
},
{
"id": 12260,
"label": "Microsoft Azure",
"type": "service"
}
],
"severityValue": 1,
"statusValue": 0,
"stories": [
0
],
"threatScore": 33,
"threatScoreReasoning": [
{
"parameters": {
"usage": 1,
"userPercent": 12
},
"template": "UEBA_ALERTS_TENANT_USAGE_EVIDENCE"
}
],
"timestamp": 1626193095126,
"title": "Impossible travel activity",
"user": [
{
"id": "john@example.onmicrosoft.com",
"label": "john@example.onmicrosoft.com",
"type": "user"
}
]
},
{
"URL": "https://example.portal.cloudappsecurity.com/#/alerts/60eda688cdbeaf0b87f5a41e",
"_id": "60eda688cdbeaf0b87f5a41e",
"account": [
{
"em": "john@example.onmicrosoft.com",
"entityType": 2,
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"inst": 0,
"label": "John Example",
"pa": "john@example.onmicrosoft.com",
"saas": 11161,
"type": "account"
}
],
"contextId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"country": [
{
"id": "NL",
"label": "NL",
"type": "country"
}
],
"description": "John Example performed a risky sign-in.<br/><br/>Unfamiliar sign-in properties<br/>Sign-in with properties we have not seen recently for the given user",
"evidence": [
{
"title": {
"parameters": {
"mitre": {
"alternateLink": "https://go.microsoft.com/fwlink/?linkid=2135034",
"label": "MITRE",
"type": "link"
},
"tactic": "INITIAL_ACCESS"
},
"template": "ALERTS_MITRE_TACTIC"
}
},
{
"title": {
"parameters": {
"mitre": {
"alternateLink": "https://go.microsoft.com/fwlink/?linkid=2135034",
"label": "MITRE",
"type": "link"
},
"tactic": "INITIAL_ACCESS"
},
"template": "ALERTS_MITRE_TACTIC"
}
}
],
"idValue": 15795457,
"intent": [
2
],
"ip": [
{
"id": "1.2.3.6",
"label": "1.2.3.6",
"type": "ip"
}
],
"isSystemAlert": false,
"is_open": true,
"policyRule": [
{
"id": "5e6fa96cb5172297ca75654a",
"label": "Risky sign-in",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
}
],
"resolutionStatusValue": 0,
"severityValue": 2,
"statusValue": 0,
"stories": [
0
],
"threatScore": 0,
"timestamp": 1626187297290,
"title": "Risky sign-in: Unfamiliar sign-in properties"
},
{
"URL": "https://example.portal.cloudappsecurity.com/#/alerts/60eaf3cccdbeaf0b87d1a775",
"_id": "60eaf3cccdbeaf0b87d1a775",
"account": [
{
"entityType": 2,
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"inst": 0,
"label": "John Example",
"pa": "john@example.onmicrosoft.com",
"saas": 11161,
"type": "account"
}
],
"comment": null,
"contextId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"description": "<p>The user \"John Example (john@example.onmicrosoft.com)\" performed more than 214 administrative activities in a single session.</p>",
"evidence": [
{
"title": {
"parameters": {
"app": "Office 365"
},
"template": "ANUBIS_ADMIN_USER_FEATURE"
}
},
{
"title": {
"parameters": {
"days": 124,
"resource": "1.2.3.4"
},
"template": "ANUBIS_LAST_SEEN_FEATURE_IP_ALL_TENANT"
}
}
],
"handledByUser": "john@example.onmicrosoft.com",
"idValue": 15859721,
"intent": [
4
],
"ip": [
{
"id": "1.2.3.5",
"label": "1.2.3.5",
"type": "ip"
}
],
"isPreview": false,
"isSystemAlert": false,
"is_open": false,
"policyRule": [
{
"id": "5e6fa96cb5172297ca756571",
"label": "Unusual administrative activity (by user)",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
}
],
"resolutionStatusValue": 4,
"resolveTime": "2021-07-13T18:26:58.662Z",
"service": [
{
"id": 20595,
"label": "Microsoft Cloud App Security",
"type": "service"
}
],
"severityValue": 1,
"statusValue": 0,
"stories": [
0
],
"threatScore": 33,
"threatScoreReasoning": [
{
"parameters": {
"usage": 1,
"userPercent": 12
},
"template": "UEBA_ALERTS_TENANT_USAGE_EVIDENCE"
}
],
"timestamp": 1625995805942,
"title": "Suspicious administrative activity",
"user": [
{
"id": "john@example.onmicrosoft.com",
"label": "john@example.onmicrosoft.com",
"type": "user"
}
]
}
]
}
}

Human Readable Output#

Microsoft CAS Alerts#

alert_idalert_datetitledescriptionstatus_valueseverity_valueis_open
60edead2cdbeaf0b87e133772021-07-13T16:18:15.126000Impossible travel activity

The user John Example (john@example.onmicrosoft.com) perform failed sign in activities from remote locations that are considered an impossible travel activity.
The user performed failed sign in activities from 1.2.3.6 in Netherlands and 1.2.3.4 in Israel within 96 minutes.
If these are IP addresses that are known and safe, add them in the IP address range page to improve the accuracy of the alerts.

N/AMediumtrue
60eda688cdbeaf0b87f5a41e2021-07-13T14:41:37.290000Risky sign-in: Unfamiliar sign-in propertiesJohn Example performed a risky sign-in.

Unfamiliar sign-in properties
Sign-in with properties we have not seen recently for the given user
N/AHightrue
60eaf3cccdbeaf0b87d1a7752021-07-11T09:30:05.942000Suspicious administrative activity

The user "John Example (john@example.onmicrosoft.com)" performed more than 214 administrative activities in a single session.

N/AMediumfalse

microsoft-cas-alert-close-benign#


An alert on a suspicious but not malicious activity, such as a penetration test or other authorized suspicious action

Base Command#

microsoft-cas-alert-close-benign

Input#

Argument NameDescriptionRequired
alert_idsA comma-separated list of alerts matching the specified filters.
Alert_id should appear similar to - "1234567890abcdefg".
Mandatory, unless you use a custom filter.
Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.Optional
commentComment describing why the alerts were dismissed.Optional
reasonThe reason for closing the alerts as benign. Providing a reason helps improve the accuracy of the detection over time. Possible values include:
Actual severity is lower
Other
Confirmed with end user
Triggered by test. Possible values are: Actual severity is lower, Other, Confirmed with end user, Triggered by test.
Optional
sendFeedbackWhether feedback about this alert is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false.Optional
feedbackTextThe text of the feedback.Optional
allowContactWhether consent to contact the user is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false.Optional
contactEmailThe email address of the user.Optional

Context Output#

There is no context output for this command.

Command Example#

!microsoft-cas-alert-close-benign alert_ids=60eaf3cccdbeaf0b87d1a775

Human Readable Output#

1 alerts were closed as benign.

microsoft-cas-alert-close-true-positive#


Cֹlose multiple alerts matching the specified filters as true positive (an alert on a confirmed malicious activity.

Base Command#

microsoft-cas-alert-close-true-positive

Input#

Argument NameDescriptionRequired
alert_idsA comma-separated list of alerts matching the specified filters.
Alert_id should appear similar to - "1234567890abcdefg".
Mandatory, unless you use a custom filter.
Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.Optional
commentComment describing why the alerts were dismissed.Optional
sendFeedbackWhether feedback about this alert is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false.Optional
feedbackTextThe text of the feedback.Optional
allowContactWhether consent to contact the user is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false.Optional
contactEmailThe email address of the user.Optional

Context Output#

There is no context output for this command.

Command Example#

!microsoft-cas-alert-close-true-positive alert_ids=60ced07dcdbeaf0b876fc7d3

Human Readable Output#

1 alerts were closed as true-positive.

microsoft-cas-alert-close-false-positive#


Close multiple alerts matching the specified filters as false positive (an alert on a non-malicious activity).

Base Command#

microsoft-cas-alert-close-false-positive

Input#

Argument NameDescriptionRequired
alert_idsA comma-separated list of alerts matching the specified filters.
Alert_id should appear similar to - "1234567890abcdefg".
Mandatory, unless you use a custom filter.
Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.Optional
commentComment describing why the alerts were dismissed. Default is None.Optional
reasonThe reason for closing the alerts as false positive. Providing a reason helps improve the accuracy of the detection over time. Possible values include:
Not of interest
Too many similar alerts
Alert is not accurate
Other. Possible values are: Not of interest, Too many similar alerts, Alert is not accurate, Other.
Optional
sendFeedbackWhether feedback about this alert is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false.Optional
feedbackTextThe text of the feedback.Optional
allowContactWhether consent to contact the user is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false.Optional
contactEmailThe email address of the user.Optional

Context Output#

There is no context output for this command.

Command Example#

!microsoft-cas-alert-close-false-positive alert_ids=60cf6d10cdbeaf0b87acdfa9 reason="Alert is not accurate"

Human Readable Output#

1 alerts were closed as false-positive.

microsoft-cas-activities-list#


Returns a list of activities that match the specified filters.

Base Command#

microsoft-cas-activities-list

Input#

Argument NameDescriptionRequired
skipThe number of records to skip. Default is 50.Optional
limitMaximum number of records returned to the user. Default is 50.Optional
ipThe origin of the specified IP address.Optional
ip_categoryThe subnet categories. Valid values are: "Corporate", "Administrative", "Risky", "VPN", "Cloud_provider", and "Other". Possible values are: Corporate, Administrative, Risky, VPN, Cloud_provider, Other.Optional
taken_actionThe actions taken on activities. Valid values are: "block", "proxy", "BypassProxy", "encrypt", "decrypt", "verified", "encryptionFailed", "protect", "verify", and "null". Possible values are: block, proxy, BypassProxy, encrypt, decrypt, verified, encryptionFailed, protect, verify.Optional
sourceThe source type. Valid values are: "Access_control", "Session_control", "App_connector", "App_connector_analysis", "Discovery", and "MDATP". Possible values are: Access_control, Session_control, App_connector, App_connector_analysis, Discovery, MDATP.Optional
custom_filterA custom filter by which to filter the returned activities. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.Optional
activity_idThe ID of the activity.Optional
timeoutTimeout of the request to Microsoft CAS, in seconds. Default is 60 seconds.Optional

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.Geo.LocationStringThe geolocation where the IP address is located, in the format: latitude:longitude.
MicrosoftCloudAppSecurity.Activities._idStringThe ID of the activity.
MicrosoftCloudAppSecurity.Activities.saasIdNumberThe ID of the cloud service.
MicrosoftCloudAppSecurity.Activities.timestampDateThe time the activity occurred.
MicrosoftCloudAppSecurity.Activities.instantiationDateThe instantiation of the activity.
MicrosoftCloudAppSecurity.Activities.createdDateThe time the activity was created.
MicrosoftCloudAppSecurity.Activities.eventTypeValueStringThe event type of the activity.
MicrosoftCloudAppSecurity.Activities.device.clientIPStringThe device client IP address of the activity.
MicrosoftCloudAppSecurity.Activities.device.userAgentStringThe user agent of the activity.
MicrosoftCloudAppSecurity.Activities.device.countryCodeStringThe country code (name) of the device.
MicrosoftCloudAppSecurity.Activities.location.countryCodeStringThe country code (name) of the activity.
MicrosoftCloudAppSecurity.Activities.location.cityStringThe city of the activity.
MicrosoftCloudAppSecurity.Activities.location.regionStringThe region of the activity.
MicrosoftCloudAppSecurity.Activities.location.longitudeNumberThe longitude of the activity.
MicrosoftCloudAppSecurity.Activities.location.latitudeNumberThe latitude of the activity.
MicrosoftCloudAppSecurity.Activities.location.categoryValueStringThe category value of the activity.
MicrosoftCloudAppSecurity.Activities.user.userNameStringThe username associated with the activity.
MicrosoftCloudAppSecurity.Activities.userAgent.familyStringThe family of the system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.nameStringThe name of the system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.nameStringThe name of the operating system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.familyStringThe family of the operating system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.typeStringThe type of the system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.typeNameStringThe name of the type of the system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.versionStringThe version of the system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.deviceTypeStringThe device type of the system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.nativeBrowserBooleanThe native browser type of the system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.osStringThe operating system in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.userAgent.browserStringThe browser in which the activity occurred.
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.instanceIdNumberThe ID of the instance of the event objects.
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.saasIdNumberThe ID of the cloud service of the event objects.
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.idStringThe ID of the event objects.
MicrosoftCloudAppSecurity.Activities.mainInfo.activityResult.isSuccessBooleanWhether the activities were successful.
MicrosoftCloudAppSecurity.Activities.mainInfo.typeStringThe type of activity.
MicrosoftCloudAppSecurity.Activities.confidenceLevelNumberThe confidence level of the activity.
MicrosoftCloudAppSecurity.Activities.resolvedActor.idStringThe user ID of the activity.
MicrosoftCloudAppSecurity.Activities.resolvedActor.saasIdStringThe user cloud service ID of the activity.
MicrosoftCloudAppSecurity.Activities.resolvedActor.instanceIdStringThe user instance ID of the activity.
MicrosoftCloudAppSecurity.Activities.resolvedActor.nameStringThe username of the activity.
MicrosoftCloudAppSecurity.Activities.eventTypeNameStringThe event that triggered the activity.
MicrosoftCloudAppSecurity.Activities.classificationsStringThe classifications of the activity.
MicrosoftCloudAppSecurity.Activities.entityData.displayNameStringThe display name of entity activity.
MicrosoftCloudAppSecurity.Activities.entityData.id.idStringThe ID of the entity activity.
MicrosoftCloudAppSecurity.Activities.entityData.resolvedBooleanWhether the entity was resolved.
MicrosoftCloudAppSecurity.Activities.descriptionStringThe description of the activity.
MicrosoftCloudAppSecurity.Activities.genericEventTypeStringThe generic event type of the activity.
MicrosoftCloudAppSecurity.Activities.severityStringThe severity of the activity.

Command Example#

!microsoft-cas-activities-list limit=4

Context Example#

{
"DBotScore": [
{
"Indicator": "1.2.3.6",
"Score": 0,
"Type": "ip",
"Vendor": "MicrosoftCloudAppSecurity"
},
{
"Indicator": "1.2.3.4",
"Score": 0,
"Type": "ip",
"Vendor": "MicrosoftCloudAppSecurity"
}
],
"IP": [
{
"Address": "1.2.3.6",
"Geo": {
"Location": "52.30905:4.94019"
}
},
{
"Address": "1.2.3.4",
"Geo": {
"Location": "50.1109:8.6821"
}
}
],
"MicrosoftCloudAppSecurity": {
"Activities": [
{
"_id": "710e5ae7f65ad8e997e3154db373ad08c2304f63e8b49cb98347fded4652131a",
"aadTenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"appId": 11161,
"appName": "Office 365",
"classifications": [
"access"
],
"collected": {
"aadLogins": {
"MCAS_Router": false,
"correlationId": "a54f8379-730d-420c-a475-088d8478d894",
"enqueueTime": 1626197391062,
"routingTime": 1626197391127
}
},
"confidenceLevel": 30,
"created": 1626197535294,
"createdRaw": 1626197535294,
"description": "Failed log on (Failure message: General failure)",
"description_id": "EVENT_DESCRIPTION_FAILED_LOGIN",
"description_metadata": {
"activity_result_message": "(Failure message: General failure)",
"colon": "",
"dash": "",
"event_category": "Failed log on"
},
"device": {
"clientIP": "1.2.3.6",
"countryCode": "NL",
"userAgent": ";Windows 10;Chrome 91.0;"
},
"entityData": [
{
"displayName": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"id": {
"id": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"inst": 0,
"saas": 11161
},
"resolved": false
}
],
"eventRouting": {
"auditing": true,
"dispersed": true,
"lograbber": true,
"scubaUnpacker": false
},
"eventType": 2293761,
"eventTypeName": "EVENT_CATEGORY_FAILED_LOGIN",
"eventTypeValue": "EVENT_AAD_LOGIN_FAILED",
"failedUserData": {
"userName": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com"
},
"genericEventType": "ENUM_ACTIVITY_GENERIC_TYPE_FAILED_LOGIN",
"instantiation": 1626197490954,
"instantiationRaw": 1626197490954,
"internals": {
"otherIPs": [
"1.2.3.6"
]
},
"location": {
"anonymousProxy": false,
"carrier": "eunetworks gmbh",
"category": 0,
"categoryValue": "NONE",
"city": "amsterdam",
"countryCode": "NL",
"isSatelliteProvider": false,
"latitude": 52.30905,
"longitude": 4.94019,
"organizationSearchable": "eunetworks",
"postalCode": "1101",
"region": "noord-holland"
},
"lograbberService": {
"scubaUnpacker": true
},
"mainInfo": {
"activityResult": {
"isSuccess": false,
"message": "General failure"
},
"eventObjects": [
{
"id": "c61faf03-1cbc-4409-94a9-ae1497de0883",
"name": "EWS O365",
"objType": 6,
"role": 1,
"tags": []
},
{
"id": "a25feb7c-f23c-4152-9f46-d87e2e10d800",
"name": "Request ID",
"objType": 7,
"role": 3,
"tags": []
},
{
"name": "Pass-through authentication",
"objType": 7,
"role": 3,
"tags": [],
"value": "false"
},
{
"id": "58518ac4-40e0-4dc3-a56b-565dcfe4e9d3",
"name": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"objType": 2,
"resolved": false,
"role": 2,
"tags": [
"000000200000000000000000"
]
},
{
"governable": false,
"id": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"instanceId": 0,
"link": 1874981740,
"name": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"objType": 22,
"resolved": false,
"role": 5,
"saasId": 11161,
"tags": [
"000000200000000000000000"
]
}
],
"prettyOperationName": "OAuth2:Authorize",
"rawOperationName": "OAuth2:Authorize",
"type": "failedLogin"
},
"rawDataJson": {
"ApplicationId": "c61faf03-1cbc-4409-94a9-ae1497de0883",
"ApplicationName": "EWS O365",
"BrowserId": "14dc3979-59da-4b8e-b9d3-a49b716b1fe9",
"Call": "OAuth2:Authorize",
"CorrelationId": "a54f8379-730d-420c-a475-088d8478d894",
"DataSource": null,
"DeviceInfo": ";Windows 10;Chrome 91.0;",
"DeviceTrustType": "",
"EventType": "MCASLoginEvent",
"HomeTenantUserObjectId": "58518ac4-40e0-4dc3-a56b-565dcfe4e9d3",
"IpAddress": "1.2.3.6",
"IsDeviceCompliantAndManaged": false,
"IsInteractive": null,
"IsInteractiveComputed": true,
"LoginErrorCode": 16000,
"LoginStatus": "Failure",
"MfaAuthMethod": null,
"MfaMaskedDeviceId": null,
"MfaRequired": false,
"MfaResult": null,
"MfaStatusRaw": null,
"MsodsTenantRegionScope": "EU",
"RequestId": "a25feb7c-f23c-4152-9f46-d87e2e10d800",
"SasStatus": null,
"TenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"TimeStamp": "2021-07-13T17:26:35.1425646Z",
"Upn": "arunvnnk_gmail.com#EXT#@arunvnnkgmail.onmicrosoft.com",
"UserIsPassthru": false,
"UserName": "",
"UserPrincipalObjectID": "58518ac4-40e0-4dc3-a56b-565dcfe4e9d3",
"UserTenantId": null,
"UserTenantMsodsRegionScope": null
},
"resolvedActor": {
"governable": false,
"id": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"instanceId": "0",
"name": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"objType": "22",
"resolved": false,
"role": "2",
"saasId": "11161",
"tags": [
"000000200000000000000000"
]
},
"resolvedActorAccount": {
"governable": false,
"id": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"instanceId": "0",
"name": "arunvnnk_gmail.com#ext#@arunvnnkgmail.onmicrosoft.com",
"resolved": false,
"role": "2",
"saasId": "11161",
"tags": [
"000000200000000000000000"
]
},
"saasId": 11161,
"severity": "INFO",
"source": 2,
"srcAppId": 11161,
"tenantId": 97134000,
"timestamp": 1626197195142,
"timestampRaw": 1626197195142,
"uid": "710e5ae7f65ad8e997e3154db373ad08c2304f63e8b49cb98347fded4652131a",
"user": {
"userTags": [
"000000200000000000000000"
]
},
"userAgent": {
"browser": "CHROME",
"deviceType": "DESKTOP",
"family": "CHROME",
"major": "91",
"minor": "0",
"name": "Chrome",
"nativeBrowser": false,
"operatingSystem": {
"family": "Windows",
"name": "Windows 10",
"version": "10"
},
"os": "windows",
"type": "Browser",
"typeName": "Browser",
"version": "91.0"
}
},
{
"_id": "d1b3c191a5563edfbce3f11cad83155cf31552f6f0b40184b423f38e0c39f536",
"aadTenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"appId": 20893,
"appName": "Microsoft Exchange Online",
"classifications": [
"access"
],
"collected": {
"aadLogins": {
"MCAS_Router": false,
"correlationId": "e04722ca-92b5-4b3f-b3db-e42941c3baba",
"enqueueTime": 1626197400711,
"routingTime": 1626197400782
}
},
"confidenceLevel": 30,
"created": 1626197422850,
"createdRaw": 1626197422850,
"description": "Failed log on (Failure message: Error validating credentials due to invalid username or password.)",
"description_id": "EVENT_DESCRIPTION_FAILED_LOGIN",
"description_metadata": {
"activity_result_message": "(Failure message: Error validating credentials due to invalid username or password.)",
"colon": "",
"dash": "",
"event_category": "Failed log on"
},
"device": {
"clientIP": "1.2.3.4",
"countryCode": "DE",
"userAgent": ";;Python Requests 2.25;"
},
"entityData": [
{
"displayName": "John Example",
"id": {
"id": "john@example.onmicrosoft.com",
"inst": 0,
"saas": 11161
},
"resolved": true
},
{
"displayName": "John Example",
"id": {
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"inst": 0,
"saas": 11161
},
"resolved": true
}
],
"eventRouting": {
"auditing": true,
"dispersed": true,
"lograbber": true,
"scubaUnpacker": false
},
"eventType": 2293761,
"eventTypeName": "EVENT_CATEGORY_FAILED_LOGIN",
"eventTypeValue": "EVENT_AAD_LOGIN_FAILED",
"failedUserData": {
"userName": "john@example.onmicrosoft.com"
},
"genericEventType": "ENUM_ACTIVITY_GENERIC_TYPE_FAILED_LOGIN",
"instantiation": 1626197422679,
"instantiationRaw": 1626197422679,
"internals": {
"otherIPs": [
"1.2.3.4"
]
},
"location": {
"anonymousProxy": false,
"carrier": "amazon.com%2C inc",
"category": 5,
"categoryValue": "CLOUD_PROXY_NETWORK_IP",
"city": "frankfurt am main",
"countryCode": "DE",
"ipTags": [
"000000290000000000000000"
],
"isSatelliteProvider": false,
"latitude": 50.1109,
"longitude": 8.6821,
"organizationSearchable": "Amazon Web Services",
"postalCode": "60311",
"region": "hessen"
},
"lograbberService": {
"scubaUnpacker": true
},
"mainInfo": {
"activityResult": {
"isSuccess": false,
"message": "Error validating credentials due to invalid username or password."
},
"eventObjects": [
{
"id": "00000002-0000-0ff1-ce00-000000000000",
"name": "Office 365 Exchange Online",
"objType": 6,
"role": 1,
"tags": []
},
{
"id": "81f8ad85-b492-47a5-9138-a06543a0db00",
"name": "Request ID",
"objType": 7,
"role": 3,
"tags": []
},
{
"name": "Pass-through authentication",
"objType": 7,
"role": 3,
"tags": [],
"value": "false"
},
{
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"name": "john@example.onmicrosoft.com",
"objType": 2,
"resolved": true,
"role": 2,
"tags": []
},
{
"governable": false,
"id": "john@example.onmicrosoft.com",
"instanceId": 0,
"link": -162371653,
"name": "John Example",
"objType": 21,
"resolved": true,
"role": 5,
"saasId": 11161,
"tags": []
},
{
"governable": true,
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"instanceId": 0,
"link": -162371653,
"name": "John Example",
"objType": 23,
"resolved": true,
"role": 5,
"saasId": 11161,
"tags": [
"5f01dbbc68df27c17aa6ca81"
]
}
],
"prettyOperationName": "OAuth2:Token",
"rawOperationName": "OAuth2:Token",
"type": "failedLogin"
},
"rawDataJson": {
"ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
"ApplicationName": "Office 365 Exchange Online",
"BrowserId": null,
"Call": "OAuth2:Token",
"CorrelationId": "e04722ca-92b5-4b3f-b3db-e42941c3baba",
"DataSource": null,
"DeviceInfo": ";;Python Requests 2.25;",
"DeviceTrustType": "",
"EventType": "MCASLoginEvent",
"HomeTenantUserObjectId": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"IpAddress": "1.2.3.4",
"IsDeviceCompliantAndManaged": false,
"IsInteractive": null,
"IsInteractiveComputed": true,
"LoginErrorCode": 50126,
"LoginStatus": "Failure",
"MfaAuthMethod": null,
"MfaMaskedDeviceId": null,
"MfaRequired": false,
"MfaResult": null,
"MfaStatusRaw": null,
"MsodsTenantRegionScope": "EU",
"RequestId": "81f8ad85-b492-47a5-9138-a06543a0db00",
"SasStatus": null,
"TenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"TimeStamp": "2021-07-13T17:26:24.4185255Z",
"Upn": "john@example.onmicrosoft.com",
"UserIsPassthru": false,
"UserName": "",
"UserPrincipalObjectID": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"UserTenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"UserTenantMsodsRegionScope": "EU"
},
"resolvedActor": {
"governable": true,
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"instanceId": "0",
"name": "John Example",
"objType": "23",
"resolved": true,
"role": "2",
"saasId": "11161",
"tags": [
"5f01dbbc68df27c17aa6ca81"
]
},
"saasId": 20893,
"severity": "INFO",
"source": 2,
"srcAppId": 11161,
"tenantId": 97134000,
"timestamp": 1626197184418,
"timestampRaw": 1626197184418,
"uid": "d1b3c191a5563edfbce3f11cad83155cf31552f6f0b40184b423f38e0c39f536",
"user": {
"userTags": [
"5f01dbbc68df27c17aa6ca81"
]
},
"userAgent": {
"browser": "UNKNOWN",
"deviceType": "OTHER",
"family": "UNKNOWN",
"name": "Unknown",
"nativeBrowser": false,
"operatingSystem": {
"family": "Unknown",
"name": "Unknown"
},
"os": "OTHER",
"type": "Unknown",
"typeName": "Unknown"
}
},
{
"_id": "88b16c7195bd0bda2b9f4fff1f8eb22c34edc164dd16baf3d608ad4dba413fc0",
"aadTenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"appId": 20893,
"appName": "Microsoft Exchange Online",
"classifications": [
"access"
],
"collected": {
"aadLogins": {
"MCAS_Router": false,
"correlationId": "e2e0afa3-e52b-46d8-9550-10a78a8fbaba",
"enqueueTime": 1626197400711,
"routingTime": 1626197400782
}
},
"confidenceLevel": 30,
"created": 1626197423060,
"createdRaw": 1626197423060,
"description": "Failed log on (Failure message: Error validating credentials due to invalid username or password.)",
"description_id": "EVENT_DESCRIPTION_FAILED_LOGIN",
"description_metadata": {
"activity_result_message": "(Failure message: Error validating credentials due to invalid username or password.)",
"colon": "",
"dash": "",
"event_category": "Failed log on"
},
"device": {
"clientIP": "1.2.3.4",
"countryCode": "DE",
"userAgent": ";;Python Requests 2.25;"
},
"entityData": [
{
"displayName": "John Example",
"id": {
"id": "john@example.onmicrosoft.com",
"inst": 0,
"saas": 11161
},
"resolved": true
},
{
"displayName": "John Example",
"id": {
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"inst": 0,
"saas": 11161
},
"resolved": true
}
],
"eventRouting": {
"auditing": true,
"dispersed": true,
"lograbber": true,
"scubaUnpacker": false
},
"eventType": 2293761,
"eventTypeName": "EVENT_CATEGORY_FAILED_LOGIN",
"eventTypeValue": "EVENT_AAD_LOGIN_FAILED",
"failedUserData": {
"userName": "john@example.onmicrosoft.com"
},
"genericEventType": "ENUM_ACTIVITY_GENERIC_TYPE_FAILED_LOGIN",
"instantiation": 1626197422564,
"instantiationRaw": 1626197422564,
"internals": {
"otherIPs": [
"1.2.3.4"
]
},
"location": {
"anonymousProxy": false,
"carrier": "amazon.com%2C inc",
"category": 5,
"categoryValue": "CLOUD_PROXY_NETWORK_IP",
"city": "frankfurt am main",
"countryCode": "DE",
"ipTags": [
"000000290000000000000000"
],
"isSatelliteProvider": false,
"latitude": 50.1109,
"longitude": 8.6821,
"organizationSearchable": "Amazon Web Services",
"postalCode": "60311",
"region": "hessen"
},
"lograbberService": {
"scubaUnpacker": true
},
"mainInfo": {
"activityResult": {
"isSuccess": false,
"message": "Error validating credentials due to invalid username or password."
},
"eventObjects": [
{
"id": "00000002-0000-0ff1-ce00-000000000000",
"name": "Office 365 Exchange Online",
"objType": 6,
"role": 1,
"tags": []
},
{
"id": "81f8ad85-b492-47a5-9138-a065b49fdb00",
"name": "Request ID",
"objType": 7,
"role": 3,
"tags": []
},
{
"name": "Pass-through authentication",
"objType": 7,
"role": 3,
"tags": [],
"value": "false"
},
{
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"name": "john@example.onmicrosoft.com",
"objType": 2,
"resolved": true,
"role": 2,
"tags": []
},
{
"governable": false,
"id": "john@example.onmicrosoft.com",
"instanceId": 0,
"link": -162371653,
"name": "John Example",
"objType": 21,
"resolved": true,
"role": 5,
"saasId": 11161,
"tags": []
},
{
"governable": true,
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"instanceId": 0,
"link": -162371653,
"name": "John Example",
"objType": 23,
"resolved": true,
"role": 5,
"saasId": 11161,
"tags": [
"5f01dbbc68df27c17aa6ca81"
]
}
],
"prettyOperationName": "OAuth2:Token",
"rawOperationName": "OAuth2:Token",
"type": "failedLogin"
},
"rawDataJson": {
"ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
"ApplicationName": "Office 365 Exchange Online",
"BrowserId": null,
"Call": "OAuth2:Token",
"CorrelationId": "e2e0afa3-e52b-46d8-9550-10a78a8fbaba",
"DataSource": null,
"DeviceInfo": ";;Python Requests 2.25;",
"DeviceTrustType": "",
"EventType": "MCASLoginEvent",
"HomeTenantUserObjectId": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"IpAddress": "1.2.3.4",
"IsDeviceCompliantAndManaged": false,
"IsInteractive": null,
"IsInteractiveComputed": true,
"LoginErrorCode": 50126,
"LoginStatus": "Failure",
"MfaAuthMethod": null,
"MfaMaskedDeviceId": null,
"MfaRequired": false,
"MfaResult": null,
"MfaStatusRaw": null,
"MsodsTenantRegionScope": "EU",
"RequestId": "81f8ad85-b492-47a5-9138-a065b49fdb00",
"SasStatus": null,
"TenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"TimeStamp": "2021-07-13T17:26:18.8088432Z",
"Upn": "john@example.onmicrosoft.com",
"UserIsPassthru": false,
"UserName": "",
"UserPrincipalObjectID": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"UserTenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"UserTenantMsodsRegionScope": "EU"
},
"resolvedActor": {
"governable": true,
"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"instanceId": "0",
"name": "John Example",
"objType": "23",
"resolved": true,
"role": "2",
"saasId": "11161",
"tags": [
"5f01dbbc68df27c17aa6ca81"
]
},
"saasId": 20893,
"severity": "INFO",
"source": 2,
"srcAppId": 11161,
"tenantId": 97134000,
"timestamp": 1626197178808,
"timestampRaw": 1626197178808,
"uid": "88b16c7195bd0bda2b9f4fff1f8eb22c34edc164dd16baf3d608ad4dba413fc0",
"user": {
"userTags": [
"5f01dbbc68df27c17aa6ca81"
]
},
"userAgent": {
"browser": "UNKNOWN",
"deviceType": "OTHER",
"family": "UNKNOWN",
"name": "Unknown",
"nativeBrowser": false,
"operatingSystem": {
"family": "Unknown",
"name": "Unknown"
},
"os": "OTHER",
"type": "Unknown",
"typeName": "Unknown"
}
},
{
"_id": "4b23b9daccf2604cec7fc8654bd98480707b0114450dac11c4a9feab98ca2499",
"aadTenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"appId": 11161,
"appName": "Office 365",
"classifications": [
"access"
],
"collected": {
"aadLogins": {
"MCAS_Router": false,
"correlationId": "923cb4be-cba8-4102-b9fc-1e71f3135680",
"enqueueTime": 1626197312908,
"routingTime": 1626197312965
}
},
"confidenceLevel": 30,
"created": 1626197344376,
"createdRaw": 1626197344376,
"description": "Failed log on (Failure message: Session information is not sufficient for single-sign-on.)",
"description_id": "EVENT_DESCRIPTION_FAILED_LOGIN",
"description_metadata": {
"activity_result_message": "(Failure message: Session information is not sufficient for single-sign-on.)",
"colon": "",
"dash": "",
"event_category": "Failed log on"
},
"device": {
"clientIP": "1.2.3.6",
"countryCode": "NL",
"userAgent": ";Windows 10;Chrome 91.0;"
},
"entityData": [
{
"displayName": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"id": {
"id": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"inst": 0,
"saas": 11161
},
"resolved": false
}
],
"eventRouting": {
"auditing": true,
"dispersed": true,
"lograbber": true,
"scubaUnpacker": false
},
"eventType": 2293761,
"eventTypeName": "EVENT_CATEGORY_FAILED_LOGIN",
"eventTypeValue": "EVENT_AAD_LOGIN_FAILED",
"failedUserData": {
"userName": "spamphishing@arunvnnkgmail.onmicrosoft.com"
},
"genericEventType": "ENUM_ACTIVITY_GENERIC_TYPE_FAILED_LOGIN",
"instantiation": 1626197343779,
"instantiationRaw": 1626197343779,
"internals": {
"otherIPs": [
"1.2.3.6"
]
},
"location": {
"anonymousProxy": false,
"carrier": "eunetworks gmbh",
"category": 0,
"categoryValue": "NONE",
"city": "amsterdam",
"countryCode": "NL",
"isSatelliteProvider": false,
"latitude": 52.30905,
"longitude": 4.94019,
"organizationSearchable": "eunetworks",
"postalCode": "1101",
"region": "noord-holland"
},
"lograbberService": {
"scubaUnpacker": true
},
"mainInfo": {
"activityResult": {
"isSuccess": false,
"message": "Session information is not sufficient for single-sign-on."
},
"eventObjects": [
{
"id": "c61faf03-1cbc-4409-94a9-ae1497de0883",
"name": "EWS O365",
"objType": 6,
"role": 1,
"tags": []
},
{
"id": "0d0db62a-043e-447c-8ab3-1f2a184ec700",
"name": "Request ID",
"objType": 7,
"role": 3,
"tags": []
},
{
"name": "Pass-through authentication",
"objType": 7,
"role": 3,
"tags": [],
"value": "false"
},
{
"id": "76603c3a-c483-4111-8893-c69b172503ab",
"name": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"objType": 2,
"resolved": false,
"role": 2,
"tags": [
"000000200000000000000000"
]
},
{
"governable": false,
"id": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"instanceId": 0,
"link": 279741149,
"name": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"objType": 22,
"resolved": false,
"role": 5,
"saasId": 11161,
"tags": [
"000000200000000000000000"
]
}
],
"prettyOperationName": "Login:reprocess",
"rawOperationName": "Login:reprocess",
"type": "failedLogin"
},
"rawDataJson": {
"ApplicationId": "c61faf03-1cbc-4409-94a9-ae1497de0883",
"ApplicationName": "EWS O365",
"BrowserId": "14dc3979-59da-4b8e-b9d3-a49b716b1fe9",
"Call": "Login:reprocess",
"CorrelationId": "923cb4be-cba8-4102-b9fc-1e71f3135680",
"DataSource": null,
"DeviceInfo": ";Windows 10;Chrome 91.0;",
"DeviceTrustType": "",
"EventType": "MCASLoginEvent",
"HomeTenantUserObjectId": "76603c3a-c483-4111-8893-c69b172503ab",
"IpAddress": "1.2.3.6",
"IsDeviceCompliantAndManaged": false,
"IsInteractive": null,
"IsInteractiveComputed": true,
"LoginErrorCode": 50058,
"LoginStatus": "Failure",
"MfaAuthMethod": null,
"MfaMaskedDeviceId": null,
"MfaRequired": false,
"MfaResult": null,
"MfaStatusRaw": null,
"MsodsTenantRegionScope": "EU",
"RequestId": "0d0db62a-043e-447c-8ab3-1f2a184ec700",
"SasStatus": null,
"TenantId": "cafe1a16-cafe-dead-beef-1337c3c1d999",
"TimeStamp": "2021-07-13T17:26:14.6101710Z",
"Upn": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"UserIsPassthru": false,
"UserName": "",
"UserPrincipalObjectID": "76603c3a-c483-4111-8893-c69b172503ab",
"UserTenantId": null,
"UserTenantMsodsRegionScope": null
},
"resolvedActor": {
"governable": false,
"id": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"instanceId": "0",
"name": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"objType": "22",
"resolved": false,
"role": "2",
"saasId": "11161",
"tags": [
"000000200000000000000000"
]
},
"resolvedActorAccount": {
"governable": false,
"id": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"instanceId": "0",
"name": "spamphishing@arunvnnkgmail.onmicrosoft.com",
"resolved": false,
"role": "2",
"saasId": "11161",
"tags": [
"000000200000000000000000"
]
},
"saasId": 11161,
"severity": "INFO",
"source": 2,
"srcAppId": 11161,
"tenantId": 97134000,
"timestamp": 1626197174610,
"timestampRaw": 1626197174610,
"uid": "4b23b9daccf2604cec7fc8654bd98480707b0114450dac11c4a9feab98ca2499",
"user": {
"userTags": [
"000000200000000000000000"
]
},
"userAgent": {
"browser": "CHROME",
"deviceType": "DESKTOP",
"family": "CHROME",
"major": "91",
"minor": "0",
"name": "Chrome",
"nativeBrowser": false,
"operatingSystem": {
"family": "Windows",
"name": "Windows 10",
"version": "10"
},
"os": "windows",
"type": "Browser",
"typeName": "Browser",
"version": "91.0"
}
}
]
}
}

Human Readable Output#

Microsoft CAS Activity#

activity_idactivity_dateapp_namedescriptionseverity
4b23b9daccf2604cec7fc8654bd98480707b0114450dac11c4a9feab98ca24992021-07-13T17:26:14.610000Office 365Failed log on (Failure message: Session information is not sufficient for single-sign-on.)INFO

microsoft-cas-files-list#


Returns a list of files that match the specified filters. Filters include file type, file share value, file extension, file quarantine status, and a custom filter. If you pass the custom_filter argument it will override the other filters in this command.

Base Command#

microsoft-cas-files-list

Input#

Argument NameDescriptionRequired
skipSkips the specified number of records. Default is 50.Optional
limitMaximum number of records to return. Default is 50.Optional
file_typeThe file type. Valid value are: Other, Document, Spreadsheet, Presentation, Text, Image, and Folder. Possible values are: Other, Document, Spreadsheet, Presentation, Text, Image, Folder.Optional
sharingFilter files with the specified sharing levels. Valid values are: Private, Internal, External, Public, Public_Internet. Possible values are: Private, Internal, External, Public, Public_Internet.Optional
extensionFilter files by the specified file extension.Optional
quarantinedFilter by whether the file is quarantined. Valid values are: "True" or "False". Possible values are: True, False.Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.Optional
file_idFilter by the file ID.Optional

Context Output#

PathTypeDescription
MicrosoftCloudAppSecurity.Files._idStringThe ID of the file.
MicrosoftCloudAppSecurity.Files.saasIdNumberThe cloud service ID of the file.
MicrosoftCloudAppSecurity.Files.instIdNumberThe instance ID of the file.
MicrosoftCloudAppSecurity.Files.fileSizeNumberThe size of the file.
MicrosoftCloudAppSecurity.Files.createdDateDateThe date the file was created.
MicrosoftCloudAppSecurity.Files.modifiedDateDateThe date the file was last modified.
MicrosoftCloudAppSecurity.Files.parentIdStringThe parent ID of the file.
MicrosoftCloudAppSecurity.Files.ownerNameStringThe name of the file owner.
MicrosoftCloudAppSecurity.Files.isFolderBooleanWhether the file is a folder.
MicrosoftCloudAppSecurity.Files.fileTypeStringThe file type.
MicrosoftCloudAppSecurity.Files.nameStringThe name of the file.
MicrosoftCloudAppSecurity.Files.isForeignBooleanWhether the file is foreign.
MicrosoftCloudAppSecurity.Files.noGovernanceBooleanWhether the file is no governance.
MicrosoftCloudAppSecurity.Files.fileAccessLevelStringThe access level of the file.
MicrosoftCloudAppSecurity.Files.ownerAddressStringThe email address of the file owner.
MicrosoftCloudAppSecurity.Files.externalSharesStringThe external shares of the file.
MicrosoftCloudAppSecurity.Files.domainsStringThe domains of the file.
MicrosoftCloudAppSecurity.Files.mimeTypeStringThe mime type of the file.
MicrosoftCloudAppSecurity.Files.ownerExternalBooleanWhether the owner of this file is external.
MicrosoftCloudAppSecurity.Files.fileExtensionStringThe file extension.
MicrosoftCloudAppSecurity.Files.groupIdsStringThe group IDs of the file.
MicrosoftCloudAppSecurity.Files.groupsStringThe group the file belongs to.
MicrosoftCloudAppSecurity.Files.collaboratorsStringThe collaborators of the file.
MicrosoftCloudAppSecurity.Files.fileStatusStringThe status of the file.
MicrosoftCloudAppSecurity.Files.appNameStringThe name of the app.
MicrosoftCloudAppSecurity.Files.actions.task_nameStringThe name of the task.
MicrosoftCloudAppSecurity.Files.actions.typeStringThe type of actions taken on the file.

Command Example#

!microsoft-cas-files-list file_type=Text skip=4 limit=5

Context Example#

{
"MicrosoftCloudAppSecurity": {
"Files": [
{
"_id": "5f60838dc3b664209dab9a97",
"_tid": 97134000,
"actions": [
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20200525154133.JPG.txt"
},
"template": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "QuarantineTask",
"type": "file",
"uiGovernanceCategory": 1
},
{
"alert_display_title": null,
"bulk_display_description": null,
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": null,
"display_alert_text": null,
"display_description": null,
"display_title": "TASKS_ADALIBPY_RESCAN_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "RescanFileTask",
"type": "file",
"uiGovernanceCategory": 0
},
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_TRASH_FILE_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_TRASH_FILE_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20200525154133.JPG.txt"
},
"template": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "TrashFileTask",
"type": "file",
"uiGovernanceCategory": 1
}
],
"alternateLink": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20200525154133.JPG.txt",
"appId": 15600,
"appName": "Microsoft OneDrive for Business",
"collaborators": [],
"createdDate": 1600160394000,
"display_collaborators": [],
"dlpScanResults": [],
"domains": [
"example.onmicrosoft.com"
],
"driveId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"effectiveParents": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"emails": [
"john@example.onmicrosoft.com"
],
"enriched": true,
"externalShares": [],
"fTags": [],
"facl": 0,
"fileAccessLevel": "PRIVATE",
"fileExtension": "txt",
"filePath": "/personal/avishai_example_onmicrosoft_com/Documents/20200525154133.JPG.txt",
"fileSize": 149,
"fileStatus": "EXISTS",
"fileType": "TEXT",
"fstat": 0,
"ftype": 4,
"groupIds": [],
"groups": [],
"id": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|2cdab441-4e3a-4b39-9d89-144292043e3b",
"instId": 0,
"isFolder": false,
"isForeign": false,
"lastNrtTimestamp": 1600223135932,
"mimeType": "text/plain",
"modifiedDate": 1600160411000,
"name": "20200525154133.JPG.txt",
"name_l": "20200525154133.jpg.txt",
"noGovernance": false,
"originalId": "5f60838dc3b664209dab9a97",
"ownerAddress": "john@example.onmicrosoft.com",
"ownerExternal": false,
"ownerName": "John Example",
"parentId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b",
"parentIds": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"saasId": 15600,
"scanVersion": 4,
"sharepointItem": {
"Author": {
"Email": "john@example.onmicrosoft.com",
"LoginName": "i:0#.f|membership|john@example.onmicrosoft.com",
"Title": "John Example",
"externalUser": false,
"idInSiteCollection": "4",
"name": "John Example",
"oneDriveEmail": "john@example.onmicrosoft.com",
"sipAddress": "john@example.onmicrosoft.com",
"sourceBitmask": 0,
"trueEmail": "john@example.onmicrosoft.com"
},
"Length": 149,
"LinkingUrl": "",
"ModifiedBy": {
"Email": "",
"LoginName": "i:0#.f|membership|tmcassp_fa02d7a6fe55edb22020060112572594@example.onmicrosoft.com",
"Title": "Cloud App Security Service Account for SharePoint"
},
"Name": "20200525154133.JPG.txt",
"ServerRelativeUrl": "/personal/avishai_example_onmicrosoft_com/Documents/20200525154133.JPG.txt",
"TimeCreated": "2020-09-15T08:59:54Z",
"TimeLastModified": "2020-09-15T09:00:11Z",
"UniqueId": "2cdab441-4e3a-4b39-9d89-144292043e3b",
"encodedAbsUrl": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20200525154133.JPG.txt",
"hasUniqueRoleAssignments": false,
"isFolder": false,
"parentUniqueId": "8f83a489-34b7-4bb6-a331-260d1291ef6b",
"roleAssignments": [],
"scopeId": "D853886D-DDEE-4A5D-BCB9-B6F072BC1413",
"urlFromMetadata": null
},
"siteCollection": "/personal/avishai_example_onmicrosoft_com",
"siteCollectionId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac",
"sitePath": "/personal/avishai_example_onmicrosoft_com",
"snapshotLastModifiedDate": "2020-09-16T02:25:36.178Z",
"spDomain": "https://example-my.sharepoint.com",
"unseenScans": 0
},
{
"_id": "5f39f079c3b664209de9c64c",
"_tid": 97134000,
"actions": [
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "WhatsApp Image 2020-08-02 at 11.04.46.jpeg.txt"
},
"template": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "QuarantineTask",
"type": "file",
"uiGovernanceCategory": 1
},
{
"alert_display_title": null,
"bulk_display_description": null,
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": null,
"display_alert_text": null,
"display_description": null,
"display_title": "TASKS_ADALIBPY_RESCAN_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "RescanFileTask",
"type": "file",
"uiGovernanceCategory": 0
},
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_TRASH_FILE_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_TRASH_FILE_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "WhatsApp Image 2020-08-02 at 11.04.46.jpeg.txt"
},
"template": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "TrashFileTask",
"type": "file",
"uiGovernanceCategory": 1
}
],
"alternateLink": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/WhatsApp%20Image%202020-08-02%20at%2011.04.46.jpeg.txt",
"appId": 15600,
"appName": "Microsoft OneDrive for Business",
"collaborators": [],
"createdDate": 1597632377000,
"display_collaborators": [],
"dlpScanResults": [],
"domains": [
"example.onmicrosoft.com"
],
"driveId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"effectiveParents": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"emails": [
"john@example.onmicrosoft.com"
],
"enriched": true,
"externalShares": [],
"fTags": [],
"facl": 0,
"fileAccessLevel": "PRIVATE",
"fileExtension": "txt",
"filePath": "/personal/avishai_example_onmicrosoft_com/Documents/WhatsApp Image 2020-08-02 at 11.04.46.jpeg.txt",
"fileSize": 149,
"fileStatus": "EXISTS",
"fileType": "TEXT",
"fstat": 0,
"ftype": 4,
"groupIds": [],
"groups": [],
"id": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|812d72fe-b578-4541-9767-16a546c64222",
"instId": 0,
"isFolder": false,
"isForeign": false,
"lastNrtTimestamp": 1597632633789,
"mimeType": "text/plain",
"modifiedDate": 1597632393000,
"name": "WhatsApp Image 2020-08-02 at 11.04.46.jpeg.txt",
"name_l": "whatsapp image 2020-08-02 at 11.04.46.jpeg.txt",
"noGovernance": false,
"originalId": "5f39f079c3b664209de9c64c",
"ownerAddress": "john@example.onmicrosoft.com",
"ownerExternal": false,
"ownerName": "John Example",
"parentId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b",
"parentIds": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"saasId": 15600,
"scanVersion": 4,
"sharepointItem": {
"Author": {
"Email": "john@example.onmicrosoft.com",
"LoginName": "i:0#.f|membership|john@example.onmicrosoft.com",
"Title": "John Example",
"externalUser": false,
"idInSiteCollection": "4",
"name": "John Example",
"oneDriveEmail": "john@example.onmicrosoft.com",
"sipAddress": "john@example.onmicrosoft.com",
"sourceBitmask": 0,
"trueEmail": "john@example.onmicrosoft.com"
},
"Length": 149,
"LinkingUrl": "",
"ModifiedBy": {
"Email": "",
"LoginName": "i:0#.f|membership|tmcassp_fa02d7a6fe55edb22020060112572594@example.onmicrosoft.com",
"Title": "Cloud App Security Service Account for SharePoint"
},
"Name": "WhatsApp Image 2020-08-02 at 11.04.46.jpeg.txt",
"ServerRelativeUrl": "/personal/avishai_example_onmicrosoft_com/Documents/WhatsApp Image 2020-08-02 at 11.04.46.jpeg.txt",
"TimeCreated": "2020-08-17T02:46:17Z",
"TimeLastModified": "2020-08-17T02:46:33Z",
"UniqueId": "812d72fe-b578-4541-9767-16a546c64222",
"encodedAbsUrl": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/WhatsApp%20Image%202020-08-02%20at%2011.04.46.jpeg.txt",
"hasUniqueRoleAssignments": false,
"isFolder": false,
"parentUniqueId": "8f83a489-34b7-4bb6-a331-260d1291ef6b",
"roleAssignments": [],
"scopeId": "D853886D-DDEE-4A5D-BCB9-B6F072BC1413",
"urlFromMetadata": null
},
"siteCollection": "/personal/avishai_example_onmicrosoft_com",
"siteCollectionId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac",
"sitePath": "/personal/avishai_example_onmicrosoft_com",
"snapshotLastModifiedDate": "2020-08-17T03:17:49.940Z",
"spDomain": "https://example-my.sharepoint.com",
"unseenScans": 0
},
{
"_id": "5f306f37c3b664209d444bf2",
"_tid": 97134000,
"actions": [
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20180726150700.JPG.txt"
},
"template": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "QuarantineTask",
"type": "file",
"uiGovernanceCategory": 1
},
{
"alert_display_title": null,
"bulk_display_description": null,
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": null,
"display_alert_text": null,
"display_description": null,
"display_title": "TASKS_ADALIBPY_RESCAN_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "RescanFileTask",
"type": "file",
"uiGovernanceCategory": 0
},
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_TRASH_FILE_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_TRASH_FILE_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20180726150700.JPG.txt"
},
"template": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "TrashFileTask",
"type": "file",
"uiGovernanceCategory": 1
}
],
"alternateLink": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20180726150700.JPG.txt",
"appId": 15600,
"appName": "Microsoft OneDrive for Business",
"collaborators": [],
"createdDate": 1597009526000,
"display_collaborators": [],
"dlpScanResults": [],
"domains": [
"example.onmicrosoft.com"
],
"driveId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"effectiveParents": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"emails": [
"john@example.onmicrosoft.com"
],
"enriched": true,
"externalShares": [],
"fTags": [],
"facl": 0,
"fileAccessLevel": "PRIVATE",
"fileExtension": "txt",
"filePath": "/personal/avishai_example_onmicrosoft_com/Documents/20180726150700.JPG.txt",
"fileSize": 149,
"fileStatus": "EXISTS",
"fileType": "TEXT",
"fstat": 0,
"ftype": 4,
"groupIds": [],
"groups": [],
"id": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|05dc1be3-d09f-401c-b2f2-1bb8ef4461cb",
"instId": 0,
"isFolder": false,
"isForeign": false,
"lastNrtTimestamp": 1597009774796,
"mimeType": "text/plain",
"modifiedDate": 1597009553000,
"name": "20180726150700.JPG.txt",
"name_l": "20180726150700.jpg.txt",
"noGovernance": false,
"originalId": "5f306f37c3b664209d444bf2",
"ownerAddress": "john@example.onmicrosoft.com",
"ownerExternal": false,
"ownerName": "John Example",
"parentId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b",
"parentIds": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"saasId": 15600,
"scanVersion": 4,
"sharepointItem": {
"Author": {
"Email": "john@example.onmicrosoft.com",
"LoginName": "i:0#.f|membership|john@example.onmicrosoft.com",
"Title": "John Example",
"externalUser": false,
"idInSiteCollection": "4",
"name": "John Example",
"oneDriveEmail": "john@example.onmicrosoft.com",
"sipAddress": "john@example.onmicrosoft.com",
"sourceBitmask": 0,
"trueEmail": "john@example.onmicrosoft.com"
},
"Length": 149,
"LinkingUrl": "",
"ModifiedBy": {
"Email": "",
"LoginName": "i:0#.f|membership|tmcassp_fa02d7a6fe55edb22020060112572594@example.onmicrosoft.com",
"Title": "Cloud App Security Service Account for SharePoint"
},
"Name": "20180726150700.JPG.txt",
"ServerRelativeUrl": "/personal/avishai_example_onmicrosoft_com/Documents/20180726150700.JPG.txt",
"TimeCreated": "2020-08-09T21:45:26Z",
"TimeLastModified": "2020-08-09T21:45:53Z",
"UniqueId": "05dc1be3-d09f-401c-b2f2-1bb8ef4461cb",
"encodedAbsUrl": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20180726150700.JPG.txt",
"hasUniqueRoleAssignments": false,
"isFolder": false,
"parentUniqueId": "8f83a489-34b7-4bb6-a331-260d1291ef6b",
"roleAssignments": [],
"scopeId": "D853886D-DDEE-4A5D-BCB9-B6F072BC1413",
"urlFromMetadata": null
},
"siteCollection": "/personal/avishai_example_onmicrosoft_com",
"siteCollectionId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac",
"sitePath": "/personal/avishai_example_onmicrosoft_com",
"snapshotLastModifiedDate": "2020-08-09T22:01:59.075Z",
"spDomain": "https://example-my.sharepoint.com",
"unseenScans": 0
},
{
"_id": "5f306f6ec3b664209d5013d3",
"_tid": 97134000,
"actions": [
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20180802_144154.jpg.txt"
},
"template": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "QuarantineTask",
"type": "file",
"uiGovernanceCategory": 1
},
{
"alert_display_title": null,
"bulk_display_description": null,
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": null,
"display_alert_text": null,
"display_description": null,
"display_title": "TASKS_ADALIBPY_RESCAN_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "RescanFileTask",
"type": "file",
"uiGovernanceCategory": 0
},
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_TRASH_FILE_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_TRASH_FILE_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20180802_144154.jpg.txt"
},
"template": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "TrashFileTask",
"type": "file",
"uiGovernanceCategory": 1
}
],
"alternateLink": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20180802_144154.jpg.txt",
"appId": 15600,
"appName": "Microsoft OneDrive for Business",
"collaborators": [],
"createdDate": 1597009520000,
"display_collaborators": [],
"dlpScanResults": [],
"domains": [
"example.onmicrosoft.com"
],
"driveId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"effectiveParents": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"emails": [
"john@example.onmicrosoft.com"
],
"enriched": true,
"externalShares": [],
"fTags": [],
"facl": 0,
"fileAccessLevel": "PRIVATE",
"fileExtension": "txt",
"filePath": "/personal/avishai_example_onmicrosoft_com/Documents/20180802_144154.jpg.txt",
"fileSize": 149,
"fileStatus": "EXISTS",
"fileType": "TEXT",
"fstat": 0,
"ftype": 4,
"groupIds": [],
"groups": [],
"id": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|2c34faf7-25c9-4fce-ba60-b1e62e706072",
"instId": 0,
"isFolder": false,
"isForeign": false,
"lastNrtTimestamp": 1597025421748,
"mimeType": "text/plain",
"modifiedDate": 1597009541000,
"name": "20180802_144154.jpg.txt",
"name_l": "20180802_144154.jpg.txt",
"noGovernance": false,
"originalId": "5f306f6ec3b664209d5013d3",
"ownerAddress": "john@example.onmicrosoft.com",
"ownerExternal": false,
"ownerName": "John Example",
"parentId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b",
"parentIds": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"saasId": 15600,
"scanVersion": 4,
"sharepointItem": {
"Author": {
"Email": "john@example.onmicrosoft.com",
"LoginName": "i:0#.f|membership|john@example.onmicrosoft.com",
"Title": "John Example",
"externalUser": false,
"idInSiteCollection": "4",
"name": "John Example",
"oneDriveEmail": "john@example.onmicrosoft.com",
"sipAddress": "john@example.onmicrosoft.com",
"sourceBitmask": 0,
"trueEmail": "john@example.onmicrosoft.com"
},
"Length": 149,
"LinkingUrl": "",
"ModifiedBy": {
"Email": "",
"LoginName": "i:0#.f|membership|tmcassp_fa02d7a6fe55edb22020060112572594@example.onmicrosoft.com",
"Title": "Cloud App Security Service Account for SharePoint"
},
"Name": "20180802_144154.jpg.txt",
"ServerRelativeUrl": "/personal/avishai_example_onmicrosoft_com/Documents/20180802_144154.jpg.txt",
"TimeCreated": "2020-08-09T21:45:20Z",
"TimeLastModified": "2020-08-09T21:45:41Z",
"UniqueId": "2c34faf7-25c9-4fce-ba60-b1e62e706072",
"encodedAbsUrl": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20180802_144154.jpg.txt",
"hasUniqueRoleAssignments": false,
"isFolder": false,
"parentUniqueId": "8f83a489-34b7-4bb6-a331-260d1291ef6b",
"roleAssignments": [],
"scopeId": "D853886D-DDEE-4A5D-BCB9-B6F072BC1413",
"urlFromMetadata": null
},
"siteCollection": "/personal/avishai_example_onmicrosoft_com",
"siteCollectionId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac",
"sitePath": "/personal/avishai_example_onmicrosoft_com",
"snapshotLastModifiedDate": "2020-08-10T02:10:24.305Z",
"spDomain": "https://example-my.sharepoint.com",
"unseenScans": 0
},
{
"_id": "5f306ef5c3b664209d36d024",
"_tid": 97134000,
"actions": [
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20170813_125133.jpg.txt"
},
"template": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_QUARANTINE_FILE_SHARING_PERMISSION_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "QuarantineTask",
"type": "file",
"uiGovernanceCategory": 1
},
{
"alert_display_title": null,
"bulk_display_description": null,
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": null,
"display_alert_text": null,
"display_description": null,
"display_title": "TASKS_ADALIBPY_RESCAN_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "RescanFileTask",
"type": "file",
"uiGovernanceCategory": 0
},
{
"alert_display_title": null,
"bulk_display_description": "TASKS_ADALIBPY_TRASH_FILE_BULK_DISPLAY_DESCRIPTION",
"bulk_support": true,
"confirm_button_style": "red",
"confirmation_button_text": null,
"confirmation_link": null,
"display_alert_success_text": "TASKS_ADALIBPY_TRASH_FILE_ALERT_SUCCESS_TEXT",
"display_alert_text": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_ALERT_TEXT",
"display_description": {
"parameters": {
"fileName": "20170813_125133.jpg.txt"
},
"template": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_DESCRIPTION"
},
"display_title": "TASKS_ADALIBPY_TRASH_FILE_DISPLAY_TITLE",
"governance_type": null,
"has_icon": true,
"is_blocking": null,
"optional_notify": null,
"preview_only": false,
"task_name": "TrashFileTask",
"type": "file",
"uiGovernanceCategory": 1
}
],
"alternateLink": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20170813_125133.jpg.txt",
"appId": 15600,
"appName": "Microsoft OneDrive for Business",
"collaborators": [],
"createdDate": 1597009499000,
"display_collaborators": [],
"dlpScanResults": [],
"domains": [
"example.onmicrosoft.com"
],
"driveId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"effectiveParents": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|ac8c3025-8b97-4758-ac74-c4b7c5c04ea0",
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"emails": [
"john@example.onmicrosoft.com"
],
"enriched": true,
"externalShares": [],
"fTags": [],
"facl": 0,
"fileAccessLevel": "PRIVATE",
"fileExtension": "txt",
"filePath": "/personal/avishai_example_onmicrosoft_com/Documents/20170813_125133.jpg.txt",
"fileSize": 149,
"fileStatus": "EXISTS",
"fileType": "TEXT",
"fstat": 0,
"ftype": 4,
"groupIds": [],
"groups": [],
"id": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|518d4da4-ffd7-43bc-beaf-c9fdc078b281",
"instId": 0,
"isFolder": false,
"isForeign": false,
"lastNrtTimestamp": 1597025421725,
"mimeType": "text/plain",
"modifiedDate": 1597009519000,
"name": "20170813_125133.jpg.txt",
"name_l": "20170813_125133.jpg.txt",
"noGovernance": false,
"originalId": "5f306ef5c3b664209d36d024",
"ownerAddress": "john@example.onmicrosoft.com",
"ownerExternal": false,
"ownerName": "John Example",
"parentId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b",
"parentIds": [
"cac4b654-5fcf-44f0-818e-479cf8ae42ac|8f83a489-34b7-4bb6-a331-260d1291ef6b"
],
"saasId": 15600,
"scanVersion": 4,
"sharepointItem": {
"Author": {
"Email": "john@example.onmicrosoft.com",
"LoginName": "i:0#.f|membership|john@example.onmicrosoft.com",
"Title": "John Example",
"externalUser": false,
"idInSiteCollection": "4",
"name": "John Example",
"oneDriveEmail": "john@example.onmicrosoft.com",
"sipAddress": "john@example.onmicrosoft.com",
"sourceBitmask": 0,
"trueEmail": "john@example.onmicrosoft.com"
},
"Length": 149,
"LinkingUrl": "",
"ModifiedBy": {
"Email": "",
"LoginName": "i:0#.f|membership|tmcassp_fa02d7a6fe55edb22020060112572594@example.onmicrosoft.com",
"Title": "Cloud App Security Service Account for SharePoint"
},
"Name": "20170813_125133.jpg.txt",
"ServerRelativeUrl": "/personal/avishai_example_onmicrosoft_com/Documents/20170813_125133.jpg.txt",
"TimeCreated": "2020-08-09T21:44:59Z",
"TimeLastModified": "2020-08-09T21:45:19Z",
"UniqueId": "518d4da4-ffd7-43bc-beaf-c9fdc078b281",
"encodedAbsUrl": "https://example-my.sharepoint.com/personal/avishai_example_onmicrosoft_com/Documents/20170813_125133.jpg.txt",
"hasUniqueRoleAssignments": false,
"isFolder": false,
"parentUniqueId": "8f83a489-34b7-4bb6-a331-260d1291ef6b",
"roleAssignments": [],
"scopeId": "D853886D-DDEE-4A5D-BCB9-B6F072BC1413",
"urlFromMetadata": null
},
"siteCollection": "/personal/avishai_example_onmicrosoft_com",
"siteCollectionId": "cac4b654-5fcf-44f0-818e-479cf8ae42ac",
"sitePath": "/personal/avishai_example_onmicrosoft_com",
"snapshotLastModifiedDate": "2020-08-10T02:10:24.782Z",
"spDomain": "https://example-my.sharepoint.com",
"unseenScans": 0
}
]
}
}

Human Readable Output#

Microsoft CAS Files#

owner_namefile_idfile_typefile_namefile_access_levelfile_statusapp_name
John Example5f60838dc3b664209dab9a97TEXT20200525154133.JPG.txtPRIVATEEXISTSMicrosoft OneDrive for Business
John Example5f39f079c3b664209de9c64cTEXTWhatsApp Image 2020-08-02 at 11.04.46.jpeg.txtPRIVATEEXISTSMicrosoft OneDrive for Business
John Example5f306f37c3b664209d444bf2TEXT20180726150700.JPG.txtPRIVATEEXISTSMicrosoft OneDrive for Business
John Example5f306f6ec3b664209d5013d3TEXT20180802_144154.jpg.txtPRIVATEEXISTSMicrosoft OneDrive for Business
John Example5f306ef5c3b664209d36d024TEXT20170813_125133.jpg.txtPRIVATEEXISTSMicrosoft OneDrive for Business

microsoft-cas-users-accounts-list#


Returns a list of user accounts that match the specified filters. Filters include user account type, group ID, external/internal, user account status, and custom filter. The accounts object schema includes information about how users and accounts use your organization's cloud apps.

Base Command#

microsoft-cas-users-accounts-list

Input#

Argument NameDescriptionRequired
skipThe number of records to skip.Optional
limitThe maximum number of records to return. Default is 50. Possible values are: . Default is 50.Optional
typeThe type by which to filter the information about the user accounts.Optional
group_idThe group ID by which to filter the information about the user accounts.Optional
is_adminFilter the user accounts that are defined as admins.Optional
is_externalThe affiliation of the user accounts. Valid values are: "External", "Internal", and "No_value". Possible values are: External, Internal, No_value.Optional
statusThe status by which to filter the information about the user accounts. Valid values are: "N/A", "Staged", "Active", "Suspended", and "Deleted". Possible values are: N/A, Staged, Active, Suspended, Deleted.Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.Optional

Context Output#

PathTypeDescription
MicrosoftCloudAppSecurity.UsersAccounts.displayNameStringThe display name of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.idStringThe ID of the user account in the product.
MicrosoftCloudAppSecurity.UsersAccounts._idStringThe ID of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.isAdminBooleanWhether the user account has admin privileges.
MicrosoftCloudAppSecurity.UsersAccounts.isExternalBooleanWhether the user account is external.
MicrosoftCloudAppSecurity.UsersAccounts.emailStringThe email address of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.roleStringThe role of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.organizationStringThe organization to which the user account belongs.
MicrosoftCloudAppSecurity.UsersAccounts.lastSeenUnknownThe date the user account was last active.
MicrosoftCloudAppSecurity.UsersAccounts.domainStringThe domain of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.threatScoreUnknownThe threat score of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.idTypeNumberThe ID type (number) of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.isFakeBooleanWhether the user account is marked as fake.
MicrosoftCloudAppSecurity.UsersAccounts.usernameStringThe username of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.actions.task_nameStringThe task name of the action of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.actions.typeStringThe type of action of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.accounts._idStringThe account ID of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.instNumberThe number of instances of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.saasNumberThe cloud services of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.dnStringThe domain name of the cloud services of the user accounts.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.aliasesStringThe user account aliases.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.isFakeBooleanWhether the user account is marked as fake.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.emUnknownThe email address of the user account.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.task_nameStringThe task name of the action.
MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.typeStringThe type of the action.
MicrosoftCloudAppSecurity.UsersAccounts.userGroups._idStringThe ID of the user group for the user account.
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.idStringThe ID of the user group in the product.
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.nameStringThe name of the user group.
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.usersCountNumberThe number of users in the user group.

Command Example#

!microsoft-cas-users-accounts-list status=Active limit=3

Context Example#

{
"MicrosoftCloudAppSecurity": {
"UsersAccounts": [
{
"_id": "604771d8478257f44b3082bc",
"actions": [],
"appData": {
"appId": 11161,
"instance": 0,
"name": "Office 365",
"saas": 11161
},
"displayName": "365 Defender Dev",
"domain": null,
"email": null,
"id": "bf44d272-ec7d-40c6-bef2-79200b3f2d55",
"idType": 17,
"identifiers": [],
"ii": "11161|0|bf44d272-ec7d-40c6-bef2-79200b3f2d55",
"isAdmin": false,
"isExternal": true,
"isFake": false,
"organization": null,
"role": null,
"scoreTrends": null,
"sctime": null,
"sid": null,
"status": 2,
"subApps": [],
"threatScore": null,
"type": 1,
"userGroups": [
{
"_id": "5e6fa9ade2367fc6340f487e",
"description": "App-initiated",
"id": "0000003b0000000000000000",
"name": "Application (Cloud App Security)",
"usersCount": 719
},
{
"_id": "5e6fa9ace2367fc6340f4864",
"description": "Either a user who is not a member of any of the managed domains you configured in General settings or a third-party app",
"id": "000000200000000000000000",
"name": "External users",
"usersCount": 171
}
],
"username": "{\"id\": \"bf44d272-ec7d-40c6-bef2-79200b3f2d55\", \"saas\": 11161, \"inst\": 0}"
},
{
"_id": "5f01dbe4229037823e32951b",
"actions": [],
"appData": {
"appId": 11161,
"instance": 0,
"name": "Office 365",
"saas": 11161
},
"displayName": "AAD App Management",
"domain": null,
"email": null,
"id": "f0ae4899-d877-4d3c-ae25-679e38eea492",
"idType": 17,
"identifiers": [],
"ii": "11161|0|f0ae4899-d877-4d3c-ae25-679e38eea492",
"isAdmin": false,
"isExternal": false,
"isFake": false,
"organization": null,
"role": null,
"scoreTrends": null,
"sctime": null,
"sid": null,
"status": 2,
"subApps": [],
"threatScore": null,
"type": 1,
"userGroups": [
{
"_id": "5e6fa9ade2367fc6340f487e",
"description": "App-initiated",
"id": "0000003b0000000000000000",
"name": "Application (Cloud App Security)",
"usersCount": 719
}
],
"username": "{\"id\": \"f0ae4899-d877-4d3c-ae25-679e38eea492\", \"saas\": 11161, \"inst\": 0}"
},
{
"_id": "5f01db9c229037823e2bf15c",
"actions": [],
"appData": {
"appId": 11161,
"instance": 0,
"name": "Office 365",
"saas": 11161
},
"displayName": "AAD Request Verification Service - PROD",
"domain": null,
"email": null,
"id": "c728155f-7b2a-4502-a08b-b8af9b269319",
"idType": 17,
"identifiers": [],
"ii": "11161|0|c728155f-7b2a-4502-a08b-b8af9b269319",
"isAdmin": false,
"isExternal": false,
"isFake": false,
"organization": null,
"role": null,
"scoreTrends": null,
"sctime": null,
"sid": null,
"status": 2,
"subApps": [],
"threatScore": null,
"type": 1,
"userGroups": [
{
"_id": "5e6fa9ade2367fc6340f487e",
"description": "App-initiated",
"id": "0000003b0000000000000000",
"name": "Application (Cloud App Security)",
"usersCount": 719
}
],
"username": "{\"id\": \"c728155f-7b2a-4502-a08b-b8af9b269319\", \"saas\": 11161, \"inst\": 0}"
}
]
}
}

Human Readable Output#

Microsoft CAS Users And Accounts#

display_nameis_adminis_external
365 Defender Devfalsetrue
AAD App Managementfalsefalse
AAD Request Verification Service - PRODfalsefalse