Skip to main content

Microsoft Cloud App Security

This is the MicrosoftCloudAppSecurity integration. This integration was integrated and tested with version 178 of MicrosoftCloudAppSecurity

For more details about how to generate a new token, see Microsoft Cloud App Security - Managing API tokens.

For more information about which permissions are required for the token owner in Microsoft Cloud App Security, see Microsoft Cloud App Security - Manage admin access.

Configure MicrosoftCloudAppSecurity on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for MicrosoftCloudAppSecurity.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
tokenUser's key to access the apiTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
severityIncidents SeverityFalse
max_fetchMaximum alerts to fetchFalse
first_fetchFirst fetch timeFalse
resolution_statusincident resolution statusFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

microsoft-cas-alert-dismiss-bulk#


Command to dismiss multiple alerts matching the specified filters.

Base Command#

microsoft-cas-alert-dismiss-bulk

Input#

Argument NameDescriptionRequired
alert_idMultiple alerts matching the specified filters.
Alert_id should be like this template - "55af7415f8a0a7a29eef2e1f".
Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. Example for Custom Filter: {"entity .policy":{"eq":"Impossible travel"}}. For more information about filter syntax, please see Microsoft Docs.Optional
commentComment about why the alerts are dismissed.Optional

Context Output#

Because the API does not return a value relevant to this command, this command has no outputs.

Command Example#

!microsoft-cas-alert-dismiss-bulk

Context Example#

{}

microsoft-cas-alerts-list#


List alerts command - prints list alerts

Base Command#

microsoft-cas-alerts-list

Input#

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request.Optional
severityThe severity of the alert.Optional
serviceFilter alerts related to the specified service appId.Optional
instanceFilter alerts related to the specified instances.Optional
resolution_statusFilter by alert resolution status.Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. Example for Custom Filter: {"entity .policy":{"eq":"Impossible travel"}}. For more information about filter syntax, please see Microsoft Docs.Optional
alert_idalert idOptional
usernameUsername. (Usually its an email address)Optional

Context Output#

PathTypeDescription
MicrosoftCloudAppSecurity.Alerts._idStringAlert id
MicrosoftCloudAppSecurity.Alerts.timestampDateAlert date
MicrosoftCloudAppSecurity.Alerts.policyRule.idNumberAlerts policyRule id
MicrosoftCloudAppSecurity.Alerts.policyRule.labelStringAlerts policyRule label
MicrosoftCloudAppSecurity.Alerts.policyRule.typeStringAlerts policyRule type
MicrosoftCloudAppSecurity.Alerts.policyRule.policyTypeStringAlerts policyRule policyType
MicrosoftCloudAppSecurity.Alerts.service.idNumberAlerts service id
MicrosoftCloudAppSecurity.Alerts.service.labelNumberAlerts service label
MicrosoftCloudAppSecurity.Alerts.service.typeNumberAlerts service type
MicrosoftCloudAppSecurity.Alerts.file.idNumberAlerts file id
MicrosoftCloudAppSecurity.Alerts.file.labelNumberAlerts file label
MicrosoftCloudAppSecurity.Alerts.file.typeNumberAlerts file type
MicrosoftCloudAppSecurity.Alerts.user.idNumberAlerts user id
MicrosoftCloudAppSecurity.Alerts.user.labelNumberAlerts user label
MicrosoftCloudAppSecurity.Alerts.user.typeNumberAlerts user type
MicrosoftCloudAppSecurity.Alerts.country.idNumberAlerts country id
MicrosoftCloudAppSecurity.Alerts.country.labelNumberAlerts country label
MicrosoftCloudAppSecurity.Alerts.country.typeNumberAlerts country type
MicrosoftCloudAppSecurity.Alerts.ip.idNumberAlerts ip id
MicrosoftCloudAppSecurity.Alerts.ip.labelNumberAlerts ip label
MicrosoftCloudAppSecurity.Alerts.ip.typeNumberAlerts ip type
MicrosoftCloudAppSecurity.Alerts.ip.triggeredAlertNumberAlerts ip triggeredAlert
MicrosoftCloudAppSecurity.Alerts.account.idNumberAlerts account id
MicrosoftCloudAppSecurity.Alerts.account.labelNumberAlerts account label
MicrosoftCloudAppSecurity.Alerts.account.typeNumberAlerts account type
MicrosoftCloudAppSecurity.Alerts.account.instNumberAlerts account inst
MicrosoftCloudAppSecurity.Alerts.account.saasNumberAlerts account saas
MicrosoftCloudAppSecurity.Alerts.account.paNumberAlerts account pa
MicrosoftCloudAppSecurity.Alerts.account.entityTypeNumberAlerts account entityType
MicrosoftCloudAppSecurity.Alerts.titleStringAlert title
MicrosoftCloudAppSecurity.Alerts.descriptionStringAlert description
MicrosoftCloudAppSecurity.Alerts.policy.idStringAlert policy id
MicrosoftCloudAppSecurity.Alerts.policy.labelStringAlert policy label
MicrosoftCloudAppSecurity.Alerts.policy.policyTypeStringAlert policy policyType
MicrosoftCloudAppSecurity.Alerts.threatScoreNumberAlert threatScore
MicrosoftCloudAppSecurity.Alerts.isSystemAlertNumberAlert isSystemAlert
MicrosoftCloudAppSecurity.Alerts.statusValueNumberAlert statusValue
MicrosoftCloudAppSecurity.Alerts.severityValueNumberAlert severityValue
MicrosoftCloudAppSecurity.Alerts.handledByUserUnknownAlert handledByUser
MicrosoftCloudAppSecurity.Alerts.commentUnknownAlert comment
MicrosoftCloudAppSecurity.Alerts.resolveTimeDateAlert resolveTime

Command Example#

Human Readable Output#

microsoft-cas-alert-resolve-bulk#


Command to resolve multiple alerts matching the specified filters.

Base Command#

microsoft-cas-alert-resolve-bulk

Input#

Argument NameDescriptionRequired
alert_idMultiple alerts matching the specified filters.
Alert_id should be like this template - "55af7415f8a0a7a29eef2e1f".
Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. Example for Custom Filter: {"entity .policy":{"eq":"Impossible travel"}}. For more information about filter syntax, please see Microsoft Docs.Optional
commentComment about why the alerts are dismissed.Optional

Context Output#

Because the api does not return a value relevant to this command, this command has no outputs.

Command Example#

!microsoft-cas-alert-resolve-bulk

Context Example#

{}

Human Readable Output#

microsoft-cas-activities-list#


Command for list of activities matching the specified filters.

Base Command#

microsoft-cas-activities-list

Input#

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request.Optional
serviceFilter activities related to the specified service appID.Optional
instanceFilter activities from specified instances.Optional
ipFilter activities originating from the given IP address.Optional
ip_categoryFilter activities with the specified subnet categories.Optional
usernameFilter activities by the user who performed the activity.Optional
taken_actionFilter activities by the actions taken on them.Optional
sourceFilter all activities by source type.Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. Example for Custom Filter: {"entity .policy":{"eq":"Impossible travel"}}. For more information about filter syntax, please see Microsoft Docs.Optional
activity_idThe ID of the activity.Optional

Context Output#

PathTypeDescription
MicrosoftCloudAppSecurity.Activities._idStringActivities _id
MicrosoftCloudAppSecurity.Activities.saasIdNumberActivities saasId
MicrosoftCloudAppSecurity.Activities.timestampDateActivities timestamp
MicrosoftCloudAppSecurity.Activities.instantiationDateActivities instantiation
MicrosoftCloudAppSecurity.Activities.createdDateActivities created
MicrosoftCloudAppSecurity.Activities.eventTypeValueStringActivities eventTypeValue
MicrosoftCloudAppSecurity.Activities.device.clientIPStringActivities device clientIP
MicrosoftCloudAppSecurity.Activities.device.userAgentStringActivities device userAgent
MicrosoftCloudAppSecurity.Activities.device.countryCodeStringActivities device countryCode
MicrosoftCloudAppSecurity.Activities.location.countryCodeStringActivities location countryCode
MicrosoftCloudAppSecurity.Activities.location.cityStringActivities location city
MicrosoftCloudAppSecurity.Activities.location.regionStringActivities location region
MicrosoftCloudAppSecurity.Activities.location.longitudeNumberActivities location longitude
MicrosoftCloudAppSecurity.Activities.location.latitudeNumberActivities location latitude
MicrosoftCloudAppSecurity.Activities.location.categoryValueStringActivities location categoryValue
MicrosoftCloudAppSecurity.Activities.user.userNameStringActivities user userName
MicrosoftCloudAppSecurity.Activities.userAgent.familyStringActivities userAgent family
MicrosoftCloudAppSecurity.Activities.userAgent.nameStringActivities userAgent name
MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.nameStringActivities userAgent operatingSystem.name
MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.familyStringActivities userAgent operatingSystem family
MicrosoftCloudAppSecurity.Activities.userAgent.typeStringActivities userAgent type
MicrosoftCloudAppSecurity.Activities.userAgent.typeNameStringActivities userAgent typeName
MicrosoftCloudAppSecurity.Activities.userAgent.versionStringActivities userAgent version
MicrosoftCloudAppSecurity.Activities.userAgent.deviceTypeStringActivities userAgent deviceType
MicrosoftCloudAppSecurity.Activities.userAgent.nativeBrowserNumberActivities userAgent nativeBrowser
MicrosoftCloudAppSecurity.Activities.userAgent.osStringActivities userAgent os
MicrosoftCloudAppSecurity.Activities.userAgent.browserStringActivities userAgent browser
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.instanceIdNumberActivities mainInfo eventObjects instanceId
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.saasIdNumberActivities mainInfo eventObjects saasId
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.idStringActivities mainInfo eventObjects id
MicrosoftCloudAppSecurity.Activities.mainInfo.activityResult.isSuccessStringActivities mainInfo activityResult isSuccess
MicrosoftCloudAppSecurity.Activities.mainInfo.typeStringActivities mainInfo type
MicrosoftCloudAppSecurity.Activities.confidenceLevelNumberActivities confidenceLevel
MicrosoftCloudAppSecurity.Activities.resolvedActor.idStringActivities resolvedActor id
MicrosoftCloudAppSecurity.Activities.resolvedActor.saasIdStringActivities resolvedActor saasId
MicrosoftCloudAppSecurity.Activities.resolvedActor.instanceIdStringActivities resolvedActor instanceId
MicrosoftCloudAppSecurity.Activities.resolvedActor.nameStringActivities resolvedActor name
MicrosoftCloudAppSecurity.Activities.eventTypeNameStringActivities eventTypeName
MicrosoftCloudAppSecurity.Activities.classificationsStringActivities classifications
MicrosoftCloudAppSecurity.Activities.entityData.displayNameStringActivities entityData displayName
MicrosoftCloudAppSecurity.Activities.entityData.id.idStringActivities entityData id id
MicrosoftCloudAppSecurity.Activities.entityData.resolvedNumberActivities entityData resolved
MicrosoftCloudAppSecurity.Activities.descriptionStringActivities description
MicrosoftCloudAppSecurity.Activities.genericEventTypeStringActivities genericEventType
MicrosoftCloudAppSecurity.Activities.severityStringActivities severity

Command Example#

Human Readable Output#

microsoft-cas-files-list#


Command to fetch a list of files matching the specified filters.

Base Command#

microsoft-cas-files-list

Input#

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request.Optional
serviceFilter files from specified app appID.Optional
instanceFilter files from specified instances.Optional
file_typeFilter files with the specified file type.Optional
usernameFilter files owned by specified entities.Optional
sharingFilter files with the specified sharing levels.Optional
extensionFilter files by a given file extension.Optional
quarantinedFilter Is the file quarantined.Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. Example for Custom Filter: {"entity .policy":{"eq":"Impossible travel"}}. For more information about filter syntax, please see Microsoft Docs.Optional
file_idFilter by file idOptional

Context Output#

PathTypeDescription
MicrosoftCloudAppSecurity.Files._idStringFiles _id
MicrosoftCloudAppSecurity.Files.saasIdNumberFiles saasId
MicrosoftCloudAppSecurity.Files.instIdNumberFiles instId
MicrosoftCloudAppSecurity.Files.fileSizeNumberFiles fileSize
MicrosoftCloudAppSecurity.Files.createdDateDateFiles createdDate
MicrosoftCloudAppSecurity.Files.modifiedDateDateFiles modifiedDate
MicrosoftCloudAppSecurity.Files.parentIdStringFiles parentId
MicrosoftCloudAppSecurity.Files.ownerNameStringFiles ownerName
MicrosoftCloudAppSecurity.Files.isFolderNumberFiles isFolder
MicrosoftCloudAppSecurity.Files.fileTypeStringFiles fileType
MicrosoftCloudAppSecurity.Files.nameStringFiles name
MicrosoftCloudAppSecurity.Files.isForeignNumberFiles isForeign
MicrosoftCloudAppSecurity.Files.noGovernanceNumberFiles noGovernance
MicrosoftCloudAppSecurity.Files.fileAccessLevelStringFiles fileAccessLevel
MicrosoftCloudAppSecurity.Files.ownerAddressStringFiles ownerAddress
MicrosoftCloudAppSecurity.Files.externalSharesStringFiles externalShares
MicrosoftCloudAppSecurity.Files.domainsStringFiles domains
MicrosoftCloudAppSecurity.Files.mimeTypeStringFiles mimeType
MicrosoftCloudAppSecurity.Files.ownerExternalNumberFiles ownerExternal
MicrosoftCloudAppSecurity.Files.fileExtensionStringFiles fileExtension
MicrosoftCloudAppSecurity.Files.groupIdsStringFiles groupIds
MicrosoftCloudAppSecurity.Files.groupsStringFiles groups
MicrosoftCloudAppSecurity.Files.collaboratorsStringFiles collaborators
MicrosoftCloudAppSecurity.Files.fileStatusStringFiles fileStatus
MicrosoftCloudAppSecurity.Files.appNameStringFiles appName
MicrosoftCloudAppSecurity.Files.actions.task_nameStringFiles actions task_name
MicrosoftCloudAppSecurity.Files.actions.typeStringFiles actions type

Command Example#

!microsoft-cas-files-list

Context Example#

Human Readable Output#

Results#

owner_namefile_create_datefile_typefile_namefile_access_levelfile_statusapp_name
John Smith15951990730004,
TEXT
20200325_101206.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15951990720004,
TEXT
20200325_100518.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15951990730005,
IMAGE
12345678-cafe-dead-beef-ca070a36092e.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15951990720005,
IMAGE
12345678-cafe-dead-beef-b3b46a6d77f9.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
SharePoint App1594890271000playbook_folder1,
INTERNAL
0,
EXISTS
Microsoft SharePoint Online
SharePoint App15948900700004,
TEXT
test.txt1,
INTERNAL
0,
EXISTS
Microsoft SharePoint Online
John Smith15947217840004,
TEXT
20200325_101206.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15947217840005,
IMAGE
12345678-cafe-dead-beef-9af56fe0585b.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15947217670004,
TEXT
IMG-20200619-WA0000.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15947217670005,
IMAGE
12345678-cafe-dead-beef-fc3b0a3a02e8.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265790004,
TEXT
20200325_104025.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265790004,
TEXT
20200325_101544.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265790005,
IMAGE
12345678-cafe-dead-beef-57ccdca766aa.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265720004,
TEXT
DSC_6375.JPG.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265790005,
IMAGE
12345678-cafe-dead-beef-838665d33aa8.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265720005,
IMAGE
12345678-cafe-dead-beef-1b3e5cb3f878.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265600004,
TEXT
20200325_100530.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265700004,
TEXT
20200325_101206.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265600005,
IMAGE
12345678-cafe-dead-beef-a670c7317bfc.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265730004,
TEXT
20200325_101451.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265700005,
IMAGE
12345678-cafe-dead-beef-828906a2e0b4.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265730005,
IMAGE
12345678-cafe-dead-beef-24215449ab36.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265590004,
TEXT
20200325_100518.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265590005,
IMAGE
12345678-cafe-dead-beef-7a1ac1f1f3e5.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265480004,
TEXT
photo_2020-07-05 18.33.29.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265510004,
TEXT
photo_2020-07-05 18.33.46.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265450004,
TEXT
photo_2020-07-05 18.06.47.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265480005,
IMAGE
12345678-cafe-dead-beef-1880feaf90ff.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265480004,
TEXT
photo_2020-07-05 18.33.38.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265460004,
TEXT
photo_2020-07-05 18.06.51.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265510005,
IMAGE
12345678-cafe-dead-beef-c9f5d143283c.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265450005,
IMAGE
12345678-cafe-dead-beef-2d65a84f383b.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265480005,
IMAGE
12345678-cafe-dead-beef-430368e8fecf.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265460005,
IMAGE
12345678-cafe-dead-beef-8b98d4c03aa3.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265420004,
TEXT
photo_2020-07-05 18.06.33.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265430004,
TEXT
photo_2020-07-05 18.06.40.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265400004,
TEXT
IMG-20200619-WA0000.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
John Smith15943265400004,
TEXT
photo_2020-07-05 18.06.26.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265430005,
IMAGE
12345678-cafe-dead-beef-25cc5b5e5f84.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265420005,
IMAGE
12345678-cafe-dead-beef-66f5a48e7973.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265400005,
IMAGE
12345678-cafe-dead-beef-30bee381e8ff.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265400005,
IMAGE
12345678-cafe-dead-beef-bfe508b9a649.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256140005,
IMAGE
12345678-cafe-dead-beef-4eaa7c4186c6.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256140005,
IMAGE
12345678-cafe-dead-beef-bbdf2c002a6a.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256100005,
IMAGE
12345678-cafe-dead-beef-588fc13d54d8.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business

microsoft-cas-users-accounts-list#


Command for basic information about the users and accounts using your organization's cloud apps.

Base Command#

microsoft-cas-users-accounts-list

Input#

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request
Optional
serviceFilter entities using services with the specified SaaS ID.Optional
instanceFilter entities using services with the specified Appstances.Optional
typeFilter entities by their type.Optional
usernameFilter entities with specific entities pks. If a user is selected, will also return all of its accounts.Optional
group_idFilter entities by their associated group IDs.Optional
is_adminFilter entities that are admins.Optional
is_externalThe entity's affiliation.Optional
statusFilter entities by status.Optional
custom_filterA custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. Example for Custom Filter: {"entity .policy":{"eq":"Impossible travel"}}. For more information about filter syntax, please see Microsoft Docs.Optional

Context Output#

PathTypeDescription
MicrosoftCloudAppSecurity.UsersAccounts.displayNameStringUsersAccounts displayName
MicrosoftCloudAppSecurity.UsersAccounts.idStringUsersAccounts cloud service id
MicrosoftCloudAppSecurity.UsersAccounts._idStringUsersAccounts cas ID
MicrosoftCloudAppSecurity.UsersAccounts.isAdminNumberUsersAccounts isAdmin
MicrosoftCloudAppSecurity.UsersAccounts.isExternalNumberUsersAccounts isExternal
MicrosoftCloudAppSecurity.UsersAccounts.emailStringUsersAccounts email
MicrosoftCloudAppSecurity.UsersAccounts.roleStringUsersAccounts role
MicrosoftCloudAppSecurity.UsersAccounts.organizationUnknownUsersAccounts organization
MicrosoftCloudAppSecurity.UsersAccounts.lastSeenUnknownUsersAccounts lastSeen
MicrosoftCloudAppSecurity.UsersAccounts.domainStringUsersAccounts domain
MicrosoftCloudAppSecurity.UsersAccounts.threatScoreUnknownUsersAccounts threatScore
MicrosoftCloudAppSecurity.UsersAccounts.idTypeNumberUsersAccounts idType
MicrosoftCloudAppSecurity.UsersAccounts.isFakeNumberUsersAccounts isFake
MicrosoftCloudAppSecurity.UsersAccounts.usernameStringUsersAccounts username
MicrosoftCloudAppSecurity.UsersAccounts.actions.task_nameStringUsersAccounts actions task_name
MicrosoftCloudAppSecurity.UsersAccounts.actions.typeStringUsersAccounts actions type
MicrosoftCloudAppSecurity.UsersAccounts.accounts._idStringUsersAccounts accounts _id
MicrosoftCloudAppSecurity.UsersAccounts.accounts.instNumberUsersAccounts accounts inst
MicrosoftCloudAppSecurity.UsersAccounts.accounts.saasNumberUsersAccounts accounts saas
MicrosoftCloudAppSecurity.UsersAccounts.accounts.dnStringUsersAccounts accounts dn
MicrosoftCloudAppSecurity.UsersAccounts.accounts.aliasesStringUsersAccounts accounts aliases
MicrosoftCloudAppSecurity.UsersAccounts.accounts.isFakeNumberUsersAccounts accounts isFake
MicrosoftCloudAppSecurity.UsersAccounts.accounts.emUnknownUsersAccounts accounts email
MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.task_nameStringUsersAccounts accounts actions task_name
MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.typeStringUsersAccounts accounts actions type
MicrosoftCloudAppSecurity.UsersAccounts.userGroups._idStringUsersAccounts userGroups _id
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.idStringUsersAccounts userGroups id
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.nameStringUsersAccounts userGroups name
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.usersCountNumberUsersAccounts userGroups usersCount

Command Example#

!microsoft-cas-users-accounts-list

Context Example#

Human Readable Output#

Results#

display_namelast_seenis_adminis_externalemailusername
Cloud App Security Service Account for SharePoint2020-07-28T09:18:39.301Zfalsefalsetmcassp_fa02d7a6fe55edb22020060112572594@example.com{"id": "12345678-cafe-dead-beef-aeac04433eb7", "saas": 11161, "inst": 0}
MS Graph User DEV2020-07-28T05:34:24Zfalsetrue{"id": "12345678-cafe-dead-beef-c19d60613e54", "saas": 11161, "inst": 0}
MS Graph Groups2020-07-28T01:43:12Zfalsetrue{"id": "12345678-cafe-dead-beef-40a33d90dc90", "saas": 11161, "inst": 0}
MS Graph Groups DEV2020-07-28T01:42:36Zfalsetrue{"id": "12345678-cafe-dead-beef-d94e912023e1", "saas": 11161, "inst": 0}
Microsoft Approval Management2020-07-28T01:42:07Zfalsefalse{"id": "12345678-cafe-dead-beef-0add61688c74", "saas": 11161, "inst": 0}
MS Graph User2020-07-28T01:42:07Zfalsetrue{"id": "12345678-cafe-dead-beef-da7d658844d0", "saas": 11161, "inst": 0}
John Smith2020-07-27T13:05:21.508Ztruefalsejohn@example.com{"id": "12345678-cafe-dead-beef-8089fe9991e2", "saas": 11161, "inst": 0}
Cloud App Security2020-07-27T10:36:02.246Zfalsefalse{"id": "Cloud App Security", "saas": 11161, "inst": 0}
John Smith2020-07-24T17:52:33.096Ztruefalsejohn@example.com{"id": "12345678-cafe-dead-beef-d84915c6912f", "saas": 11161, "inst": 0}
AAD App Management2020-07-24T16:31:08Zfalsefalse{"id": "12345678-cafe-dead-beef-679e38eea492", "saas": 11161, "inst": 0}
Microsoft Exchange Online Protection2020-07-23T09:01:52Zfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Device Registration Service2020-07-19T22:59:52Zfalsefalse{"id": "12345678-cafe-dead-beef-d28bd4d359a9", "saas": 11161, "inst": 0}
Microsoft Intune2020-07-15T14:46:07Zfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Trend Micro Cloud App Security2020-07-15T08:42:20Zfalsetrue{"id": "12345678-cafe-dead-beef-687b755fb160", "saas": 11161, "inst": 0}
Windows Azure Service Management API2020-07-10T14:33:09Zfalsefalse{"id": "12345678-cafe-dead-beef-dac1f8f63013", "saas": 11161, "inst": 0}
Azure Resource Graph2020-07-05T23:50:54.723Zfalsefalse{"id": "12345678-cafe-dead-beef-e9d4a1996ca4", "saas": 11161, "inst": 0}
demisto dev2020-07-05T13:19:55Ztruefalsedemistodev@example.com{"id": "12345678-cafe-dead-beef-25984e968637", "saas": 11161, "inst": 0}
Media Analysis and Transformation Service2020-07-05T09:12:37Zfalsefalse{"id": "12345678-cafe-dead-beef-804ed95e767e", "saas": 11161, "inst": 0}
Office 365 SharePoint Online2020-07-05T09:12:30Zfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
MS Graph Files2020-06-30T09:11:49Zfalsetrue{"id": "12345678-cafe-dead-beef-97d384764d79", "saas": 11161, "inst": 0}
MS Graph Files Dev2020-06-30T09:09:56Zfalsetrue{"id": "12345678-cafe-dead-beef-8ce97e9cc435", "saas": 11161, "inst": 0}
SecurityCenter2020-05-17T08:30:13.957Zfalsetrue{"id": "12345678-cafe-dead-beef-386428b3811c", "saas": 11161, "inst": 0}
Managed Disks Resource Provider2020-05-05T07:56:05.291Zfalsefalse{"id": "12345678-cafe-dead-beef-23c25a2169af", "saas": 11161, "inst": 0}
Microsoft Azure Policy Insights2020-03-17T01:48:21.101Zfalsefalse{"id": "12345678-cafe-dead-beef-dd72f50a3ec0", "saas": 11161, "inst": 0}
Azure Security Center2020-03-17T00:36:01.976Zfalsetrue{"id": "12345678-cafe-dead-beef-744e3d8d2152", "saas": 11161, "inst": 0}
Azure Compute2020-03-17T00:34:32.951Zfalsetrue{"id": "12345678-cafe-dead-beef-8d14b008aa78", "saas": 11161, "inst": 0}
AzureCompute2020-03-17T00:33:19.047Zfalsetrue{"id": "12345678-cafe-dead-beef-fcff173735a5", "saas": 11161, "inst": 0}
Microsoft.Azure.GraphExplorerfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Cactustruefalseitay@example.com{"id": "12345678-cafe-dead-beef-8352e0e9df65", "saas": 11161, "inst": 0}
Azure Classic Portalfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Microsoft App Access Panelfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
svctruefalsesvc@example.com{"id": "12345678-cafe-dead-beef-836e8a8e30c9", "saas": 11161, "inst": 0}
Yammerfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Power BI Servicefalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Microsoft Office Web Apps Servicefalsefalse{"id": "12345678-cafe-dead-beef-0de1c7f97287", "saas": 11161, "inst": 0}
Skype for Business Onlinefalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Office 365 Exchange Onlinefalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}
Microsoft.ExtensibleRealUserMonitoringfalsefalse{"id": "12345678-cafe-dead-beef-ad15a8179ba0", "saas": 11161, "inst": 0}
Microsoft Office 365 Portalfalsefalse{"id": "12345678-cafe-dead-beef-000000000000", "saas": 11161, "inst": 0}