Microsoft Cloud App Security

This is the MicrosoftCloudAppSecurity integration. This integration was integrated and tested with version 178 of MicrosoftCloudAppSecurity

Configure MicrosoftCloudAppSecurity on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for MicrosoftCloudAppSecurity.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
tokenUser's key to access the apiTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
severityIncidents SeverityFalse
max_fetchMaximum alerts to fetchFalse
first_fetchFirst fetch timeFalse
resolution_statusincident resolution statusFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

microsoft-cas-alert-dismiss-bulk


Command to dismiss multiple alerts matching the specified filters.

Base Command

microsoft-cas-alert-dismiss-bulk

Input

Argument NameDescriptionRequired
alert_idMultiple alerts matching the specified filters.
Alert_id should be like this template - "55af7415f8a0a7a29eef2e1f".
Optional
customer_filtersFilter that the customer builds himself.Optional
commentComment about why the alerts are dismissed.Optional

Context Output

Because the API does not return a value relevant to this command, this command has no outputs.

Command Example

!microsoft-cas-alert-dismiss-bulk

Context Example

{}

microsoft-cas-alerts-list


List alerts command - prints list alerts

Base Command

microsoft-cas-alerts-list

Input

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request.Optional
severityThe severity of the alert.Optional
serviceFilter alerts related to the specified service appId.Optional
instanceFilter alerts related to the specified instances.Optional
resolution_statusFilter by alert resolution status.Optional
customer_filtersFilter that the customer builds himself. (If the customer use "customer_filters" other filters will not work)Optional
alert_idalert idOptional
usernameUsername. (Usually its an email address)Optional

Context Output

PathTypeDescription
MicrosoftCloudAppSecurity.Alerts._idStringAlert id
MicrosoftCloudAppSecurity.Alerts.timestampDateAlert date
MicrosoftCloudAppSecurity.Alerts.policyRule.idNumberAlerts policyRule id
MicrosoftCloudAppSecurity.Alerts.policyRule.labelStringAlerts policyRule label
MicrosoftCloudAppSecurity.Alerts.policyRule.typeStringAlerts policyRule type
MicrosoftCloudAppSecurity.Alerts.policyRule.policyTypeStringAlerts policyRule policyType
MicrosoftCloudAppSecurity.Alerts.service.idNumberAlerts service id
MicrosoftCloudAppSecurity.Alerts.service.labelNumberAlerts service label
MicrosoftCloudAppSecurity.Alerts.service.typeNumberAlerts service type
MicrosoftCloudAppSecurity.Alerts.file.idNumberAlerts file id
MicrosoftCloudAppSecurity.Alerts.file.labelNumberAlerts file label
MicrosoftCloudAppSecurity.Alerts.file.typeNumberAlerts file type
MicrosoftCloudAppSecurity.Alerts.user.idNumberAlerts user id
MicrosoftCloudAppSecurity.Alerts.user.labelNumberAlerts user label
MicrosoftCloudAppSecurity.Alerts.user.typeNumberAlerts user type
MicrosoftCloudAppSecurity.Alerts.country.idNumberAlerts country id
MicrosoftCloudAppSecurity.Alerts.country.labelNumberAlerts country label
MicrosoftCloudAppSecurity.Alerts.country.typeNumberAlerts country type
MicrosoftCloudAppSecurity.Alerts.ip.idNumberAlerts ip id
MicrosoftCloudAppSecurity.Alerts.ip.labelNumberAlerts ip label
MicrosoftCloudAppSecurity.Alerts.ip.typeNumberAlerts ip type
MicrosoftCloudAppSecurity.Alerts.ip.triggeredAlertNumberAlerts ip triggeredAlert
MicrosoftCloudAppSecurity.Alerts.account.idNumberAlerts account id
MicrosoftCloudAppSecurity.Alerts.account.labelNumberAlerts account label
MicrosoftCloudAppSecurity.Alerts.account.typeNumberAlerts account type
MicrosoftCloudAppSecurity.Alerts.account.instNumberAlerts account inst
MicrosoftCloudAppSecurity.Alerts.account.saasNumberAlerts account saas
MicrosoftCloudAppSecurity.Alerts.account.paNumberAlerts account pa
MicrosoftCloudAppSecurity.Alerts.account.entityTypeNumberAlerts account entityType
MicrosoftCloudAppSecurity.Alerts.titleStringAlert title
MicrosoftCloudAppSecurity.Alerts.descriptionStringAlert description
MicrosoftCloudAppSecurity.Alerts.policy.idStringAlert policy id
MicrosoftCloudAppSecurity.Alerts.policy.labelStringAlert policy label
MicrosoftCloudAppSecurity.Alerts.policy.policyTypeStringAlert policy policyType
MicrosoftCloudAppSecurity.Alerts.threatScoreNumberAlert threatScore
MicrosoftCloudAppSecurity.Alerts.isSystemAlertNumberAlert isSystemAlert
MicrosoftCloudAppSecurity.Alerts.statusValueNumberAlert statusValue
MicrosoftCloudAppSecurity.Alerts.severityValueNumberAlert severityValue
MicrosoftCloudAppSecurity.Alerts.handledByUserUnknownAlert handledByUser
MicrosoftCloudAppSecurity.Alerts.commentUnknownAlert comment
MicrosoftCloudAppSecurity.Alerts.resolveTimeDateAlert resolveTime

Command Example

Human Readable Output

microsoft-cas-alert-resolve-bulk


Command to resolve multiple alerts matching the specified filters.

Base Command

microsoft-cas-alert-resolve-bulk

Input

Argument NameDescriptionRequired
alert_idMultiple alerts matching the specified filters.
Alert_id should be like this template - "55af7415f8a0a7a29eef2e1f".
Optional
customer_filtersFilter that the customer builds himself.Optional
commentComment about why the alerts are dismissed.Optional

Context Output

Because the api does not return a value relevant to this command, this command has no outputs.

Command Example

!microsoft-cas-alert-resolve-bulk

Context Example

{}

Human Readable Output

microsoft-cas-activities-list


Command for list of activities matching the specified filters.

Base Command

microsoft-cas-activities-list

Input

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request.Optional
serviceFilter activities related to the specified service appID.Optional
instanceFilter activities from specified instances.Optional
ipFilter activities originating from the given IP address.Optional
ip_categoryFilter activities with the specified subnet categories.Optional
usernameFilter activities by the user who performed the activity.Optional
taken_actionFilter activities by the actions taken on them.Optional
sourceFilter all activities by source type.Optional
customer_filtersFilter that the customer builds himself. (If the customer use "customer_filters" other filters will not work)Optional
activity_idThe ID of the activity.Optional

Context Output

PathTypeDescription
MicrosoftCloudAppSecurity.Activities._idStringActivities _id
MicrosoftCloudAppSecurity.Activities.saasIdNumberActivities saasId
MicrosoftCloudAppSecurity.Activities.timestampDateActivities timestamp
MicrosoftCloudAppSecurity.Activities.instantiationDateActivities instantiation
MicrosoftCloudAppSecurity.Activities.createdDateActivities created
MicrosoftCloudAppSecurity.Activities.eventTypeValueStringActivities eventTypeValue
MicrosoftCloudAppSecurity.Activities.device.clientIPStringActivities device clientIP
MicrosoftCloudAppSecurity.Activities.device.userAgentStringActivities device userAgent
MicrosoftCloudAppSecurity.Activities.device.countryCodeStringActivities device countryCode
MicrosoftCloudAppSecurity.Activities.location.countryCodeStringActivities location countryCode
MicrosoftCloudAppSecurity.Activities.location.cityStringActivities location city
MicrosoftCloudAppSecurity.Activities.location.regionStringActivities location region
MicrosoftCloudAppSecurity.Activities.location.longitudeNumberActivities location longitude
MicrosoftCloudAppSecurity.Activities.location.latitudeNumberActivities location latitude
MicrosoftCloudAppSecurity.Activities.location.categoryValueStringActivities location categoryValue
MicrosoftCloudAppSecurity.Activities.user.userNameStringActivities user userName
MicrosoftCloudAppSecurity.Activities.userAgent.familyStringActivities userAgent family
MicrosoftCloudAppSecurity.Activities.userAgent.nameStringActivities userAgent name
MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.nameStringActivities userAgent operatingSystem.name
MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.familyStringActivities userAgent operatingSystem family
MicrosoftCloudAppSecurity.Activities.userAgent.typeStringActivities userAgent type
MicrosoftCloudAppSecurity.Activities.userAgent.typeNameStringActivities userAgent typeName
MicrosoftCloudAppSecurity.Activities.userAgent.versionStringActivities userAgent version
MicrosoftCloudAppSecurity.Activities.userAgent.deviceTypeStringActivities userAgent deviceType
MicrosoftCloudAppSecurity.Activities.userAgent.nativeBrowserNumberActivities userAgent nativeBrowser
MicrosoftCloudAppSecurity.Activities.userAgent.osStringActivities userAgent os
MicrosoftCloudAppSecurity.Activities.userAgent.browserStringActivities userAgent browser
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.instanceIdNumberActivities mainInfo eventObjects instanceId
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.saasIdNumberActivities mainInfo eventObjects saasId
MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.idStringActivities mainInfo eventObjects id
MicrosoftCloudAppSecurity.Activities.mainInfo.activityResult.isSuccessStringActivities mainInfo activityResult isSuccess
MicrosoftCloudAppSecurity.Activities.mainInfo.typeStringActivities mainInfo type
MicrosoftCloudAppSecurity.Activities.confidenceLevelNumberActivities confidenceLevel
MicrosoftCloudAppSecurity.Activities.resolvedActor.idStringActivities resolvedActor id
MicrosoftCloudAppSecurity.Activities.resolvedActor.saasIdStringActivities resolvedActor saasId
MicrosoftCloudAppSecurity.Activities.resolvedActor.instanceIdStringActivities resolvedActor instanceId
MicrosoftCloudAppSecurity.Activities.resolvedActor.nameStringActivities resolvedActor name
MicrosoftCloudAppSecurity.Activities.eventTypeNameStringActivities eventTypeName
MicrosoftCloudAppSecurity.Activities.classificationsStringActivities classifications
MicrosoftCloudAppSecurity.Activities.entityData.displayNameStringActivities entityData displayName
MicrosoftCloudAppSecurity.Activities.entityData.id.idStringActivities entityData id id
MicrosoftCloudAppSecurity.Activities.entityData.resolvedNumberActivities entityData resolved
MicrosoftCloudAppSecurity.Activities.descriptionStringActivities description
MicrosoftCloudAppSecurity.Activities.genericEventTypeStringActivities genericEventType
MicrosoftCloudAppSecurity.Activities.severityStringActivities severity

Command Example

Human Readable Output

microsoft-cas-files-list


Command to fetch a list of files matching the specified filters.

Base Command

microsoft-cas-files-list

Input

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request.Optional
serviceFilter files from specified app appID.Optional
instanceFilter files from specified instances.Optional
file_typeFilter files with the specified file type.Optional
usernameFilter files owned by specified entities.Optional
sharingFilter files with the specified sharing levels.Optional
extensionFilter files by a given file extension.Optional
quarantinedFilter Is the file quarantined.Optional
customer_filtersFilter that the customer builds himself. (If the customer use "customer_filters" other filters will not work)Optional
file_idFilter by file idOptional

Context Output

PathTypeDescription
MicrosoftCloudAppSecurity.Files._idStringFiles _id
MicrosoftCloudAppSecurity.Files.saasIdNumberFiles saasId
MicrosoftCloudAppSecurity.Files.instIdNumberFiles instId
MicrosoftCloudAppSecurity.Files.fileSizeNumberFiles fileSize
MicrosoftCloudAppSecurity.Files.createdDateDateFiles createdDate
MicrosoftCloudAppSecurity.Files.modifiedDateDateFiles modifiedDate
MicrosoftCloudAppSecurity.Files.parentIdStringFiles parentId
MicrosoftCloudAppSecurity.Files.ownerNameStringFiles ownerName
MicrosoftCloudAppSecurity.Files.isFolderNumberFiles isFolder
MicrosoftCloudAppSecurity.Files.fileTypeStringFiles fileType
MicrosoftCloudAppSecurity.Files.nameStringFiles name
MicrosoftCloudAppSecurity.Files.isForeignNumberFiles isForeign
MicrosoftCloudAppSecurity.Files.noGovernanceNumberFiles noGovernance
MicrosoftCloudAppSecurity.Files.fileAccessLevelStringFiles fileAccessLevel
MicrosoftCloudAppSecurity.Files.ownerAddressStringFiles ownerAddress
MicrosoftCloudAppSecurity.Files.externalSharesStringFiles externalShares
MicrosoftCloudAppSecurity.Files.domainsStringFiles domains
MicrosoftCloudAppSecurity.Files.mimeTypeStringFiles mimeType
MicrosoftCloudAppSecurity.Files.ownerExternalNumberFiles ownerExternal
MicrosoftCloudAppSecurity.Files.fileExtensionStringFiles fileExtension
MicrosoftCloudAppSecurity.Files.groupIdsStringFiles groupIds
MicrosoftCloudAppSecurity.Files.groupsStringFiles groups
MicrosoftCloudAppSecurity.Files.collaboratorsStringFiles collaborators
MicrosoftCloudAppSecurity.Files.fileStatusStringFiles fileStatus
MicrosoftCloudAppSecurity.Files.appNameStringFiles appName
MicrosoftCloudAppSecurity.Files.actions.task_nameStringFiles actions task_name
MicrosoftCloudAppSecurity.Files.actions.typeStringFiles actions type

Command Example

!microsoft-cas-files-list

Context Example

Human Readable Output

Results

owner_namefile_create_datefile_typefile_namefile_access_levelfile_statusapp_name
Avishai Brandeis15951990730004,
TEXT
20200325_101206.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15951990720004,
TEXT
20200325_100518.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15951990730005,
IMAGE
f9c89b9b-18d2-4a2f-8cba-ca070a36092e.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15951990720005,
IMAGE
d82388df-f3ec-4288-bf4f-b3b46a6d77f9.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
SharePoint App1594890271000playbook_folder1,
INTERNAL
0,
EXISTS
Microsoft SharePoint Online
SharePoint App15948900700004,
TEXT
test.txt1,
INTERNAL
0,
EXISTS
Microsoft SharePoint Online
Avishai Brandeis15947217840004,
TEXT
20200325_101206.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15947217840005,
IMAGE
9a45eafa-b471-43c0-9dc8-9af56fe0585b.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15947217670004,
TEXT
IMG-20200619-WA0000.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15947217670005,
IMAGE
14ac91a6-a2ca-450e-978f-fc3b0a3a02e8.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265790004,
TEXT
20200325_104025.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265790004,
TEXT
20200325_101544.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265790005,
IMAGE
56aa5551-0c4c-42d7-93f1-57ccdca766aa.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265720004,
TEXT
DSC_6375.JPG.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265790005,
IMAGE
2cf7cb13-9385-4d90-8eff-838665d33aa8.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265720005,
IMAGE
3ebd512c-4868-4bc3-9325-1b3e5cb3f878.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265600004,
TEXT
20200325_100530.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265700004,
TEXT
20200325_101206.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265600005,
IMAGE
cfe6b7e5-bf03-4da9-87c6-a670c7317bfc.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265730004,
TEXT
20200325_101451.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265700005,
IMAGE
c4350358-99bf-4b25-9e78-828906a2e0b4.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265730005,
IMAGE
4da54ac0-0b3d-4eb4-a1ab-24215449ab36.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265590004,
TEXT
20200325_100518.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265590005,
IMAGE
e063ef77-e7de-4187-8448-7a1ac1f1f3e5.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265480004,
TEXT
photo_2020-07-05 18.33.29.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265510004,
TEXT
photo_2020-07-05 18.33.46.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265450004,
TEXT
photo_2020-07-05 18.06.47.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265480005,
IMAGE
5bc3308d-a583-43a6-821c-1880feaf90ff.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265480004,
TEXT
photo_2020-07-05 18.33.38.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265460004,
TEXT
photo_2020-07-05 18.06.51.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265510005,
IMAGE
01f30b27-0a9d-41e0-aa57-c9f5d143283c.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265450005,
IMAGE
6814e9f2-0851-4585-a7d5-2d65a84f383b.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265480005,
IMAGE
92a62911-7c1b-47ae-8942-430368e8fecf.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265460005,
IMAGE
f0e38201-a3d0-4e58-b6c5-8b98d4c03aa3.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265420004,
TEXT
photo_2020-07-05 18.06.33.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265430004,
TEXT
photo_2020-07-05 18.06.40.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265400004,
TEXT
IMG-20200619-WA0000.jpg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
Avishai Brandeis15943265400004,
TEXT
photo_2020-07-05 18.06.26.jpeg.txt0,
PRIVATE
0,
EXISTS
Microsoft OneDrive for Business
15943265430005,
IMAGE
9b10eb41-0fa1-4982-aded-25cc5b5e5f84.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265420005,
IMAGE
dfbea149-a811-4e73-86cd-66f5a48e7973.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265400005,
IMAGE
9aa6317b-2c50-4e8b-8f71-30bee381e8ff.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943265400005,
IMAGE
ac015a88-aef1-4969-a0cc-bfe508b9a649.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256140005,
IMAGE
cca52237-74d9-4aff-b92e-4eaa7c4186c6.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256140005,
IMAGE
c82fe4f0-f550-4941-87b5-bbdf2c002a6a.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256100005,
IMAGE
5dd21d9c-ba3c-45a1-8bc1-588fc13d54d8.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256080005,
IMAGE
bc36b8a1-d2f1-4bd7-8dd3-e010460db08b.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256030005,
IMAGE
639977fd-f19b-46f0-b8da-30bdce7cdbb4.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256000005,
IMAGE
14012d04-f9d9-40f3-b4e7-07ee35b9cae6.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943256000005,
IMAGE
3356552a-4bd0-4953-9f59-6bdaa087b448.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255910005,
IMAGE
dba0af17-2a8c-4a60-9fd5-9acaf93b2f08.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255920005,
IMAGE
7941ed8e-1e51-46d5-8561-09ce27b3b975.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255820005,
IMAGE
047e77e2-e0e5-4989-8a0c-ff9054fd5175.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255820005,
IMAGE
2e5812b4-8000-48b8-b384-142f984d5ec2.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255870005,
IMAGE
6327024b-1edf-4463-802c-2b78b4f9fdad.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255780005,
IMAGE
542895d5-7c84-4310-9f5e-a15dae89d7fc.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255580005,
IMAGE
2d2ef892-4166-4661-bb3b-92ee409c21c8.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255350005,
IMAGE
30e9aa83-e872-4ddb-b2f7-c0e73a71867d.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255350005,
IMAGE
ec02ac37-c455-4d04-b8aa-c6da3136686d.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255330005,
IMAGE
aff07901-2e64-4e57-bab6-ed4930fd2974.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255320005,
IMAGE
5139071d-4832-41d5-a21c-458327f935ef.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255300005,
IMAGE
906d178e-adf5-4b3f-bd2d-469b048e20f0.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255300005,
IMAGE
fe45c984-451e-497e-a6c7-c0a90887820a.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255270005,
IMAGE
df8ad58d-a418-431f-87f5-d059ea238d27.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255270005,
IMAGE
d1bfee21-ef58-40e9-b0e2-ed1ccb2b48c7.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255250005,
IMAGE
c7c42269-657a-49e4-9829-7afd2bef0301.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255240005,
IMAGE
9c69944a-ff97-4331-834b-df30a6571865.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255210005,
IMAGE
dea354b5-93e7-4903-a969-d77f75512d77.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15943255230005,
IMAGE
d120d7aa-f931-4dfa-8cb0-f439ed5bf845.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942955070005,
IMAGE
56c858dc-3798-454d-b71d-7670dc33a519.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942955070005,
IMAGE
ee6eb54f-eee3-4f3f-9824-cd8949d7e3c3.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942955000005,
IMAGE
279c29cb-8c9b-4da3-acbb-0dcb222080f9.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954790005,
IMAGE
a87afd92-66ed-45dd-b048-442a54f769a6.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954610005,
IMAGE
9da79bd0-8523-4cb4-b7d1-9499367542ff.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954610005,
IMAGE
df88a2d1-9da8-4fef-a326-a554af6303b9.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954580005,
IMAGE
78e7bddd-225b-453f-b68d-622a3d50645a.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954560005,
IMAGE
4ce510f0-c0a7-4c65-b195-387bc3dcb80e.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954580005,
IMAGE
8ed05b63-7ecc-4e3f-a0cd-3d536ae1c249.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954530005,
IMAGE
cf224158-46bc-4143-adf3-0c8d35b5350e.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954550005,
IMAGE
af5e2534-d35e-4df7-a1ed-3b45e11683d3.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954520005,
IMAGE
0a355451-e289-4722-86af-2c648e7cc283.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954500005,
IMAGE
0470b912-a2eb-44b9-9dec-953ab4e05c6f.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954480005,
IMAGE
fe4cdb75-30b7-4d10-ab51-e81f8e6d79a5.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954500005,
IMAGE
1f84df98-64ec-4278-bd27-8bf8345d0cdf.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942954480005,
IMAGE
a3cbb7a7-72e6-453e-901c-cb549e276a59.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942948270005,
IMAGE
f2edccd6-2be2-439c-a2f9-a0f390e9b80e.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945730005,
IMAGE
601a5a3e-0cf1-4541-836c-743dd3fabc91.JPG1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945600005,
IMAGE
f5e5c5cc-4f05-4ccb-9be4-d86f4d3a26b6.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945620005,
IMAGE
7b538b05-0c5c-4ba3-98a0-3d07d563a975.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945570005,
IMAGE
d8af96a9-18f3-4320-bc5b-71ebdea835fe.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945570005,
IMAGE
d6634cd3-0baf-4ebd-8f6e-de66927b1b2c.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945550005,
IMAGE
967a6e5c-a012-4928-a909-32687f426a09.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945600005,
IMAGE
5ccab71a-7a08-48ac-ba95-bb6f11a63a04.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945520005,
IMAGE
83c1745c-abf4-4e48-bdd9-24376ac50027.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945540005,
IMAGE
b5261c49-0725-427f-b956-cd875fa236d8.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945510005,
IMAGE
55cfdba5-d823-47e6-b37e-a3cb0ae9035b.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945360005,
IMAGE
dd33b82b-20da-4d56-bf3f-c474278a3829.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942945370005,
IMAGE
e71a8958-97fe-4d7e-8259-ad92984a38d9.jpeg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942939740005,
IMAGE
c588bf6f-f87a-401c-9ebc-5cc03b03d1d5.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942939760005,
IMAGE
d95a09e8-4873-4aec-9e5d-9b9b3d85b6c6.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business
15942930350005,
IMAGE
7036c013-cab0-4aee-b5e2-3f125ba40034.jpg1,
INTERNAL
0,
EXISTS
Microsoft OneDrive for Business

microsoft-cas-users-accounts-list


Command for basic information about the users and accounts using your organization's cloud apps.

Base Command

microsoft-cas-users-accounts-list

Input

Argument NameDescriptionRequired
skipSkips the specified number of records.Optional
limitMaximum number of records returned by the request
Optional
serviceFilter entities using services with the specified SaaS ID.Optional
instanceFilter entities using services with the specified Appstances.Optional
typeFilter entities by their type.Optional
usernameFilter entities with specific entities pks. If a user is selected, will also return all of its accounts.Optional
group_idFilter entities by their associated group IDs.Optional
is_adminFilter entities that are admins.Optional
is_externalThe entity's affiliation.Optional
statusFilter entities by status.Optional
customer_filtersFilter that the customer builds himself. (If the customer use "customer_filters" other filters will not work)Optional

Context Output

PathTypeDescription
MicrosoftCloudAppSecurity.UsersAccounts.displayNameStringUsersAccounts displayName
MicrosoftCloudAppSecurity.UsersAccounts.idStringUsersAccounts cloud service id
MicrosoftCloudAppSecurity.UsersAccounts._idStringUsersAccounts cas ID
MicrosoftCloudAppSecurity.UsersAccounts.isAdminNumberUsersAccounts isAdmin
MicrosoftCloudAppSecurity.UsersAccounts.isExternalNumberUsersAccounts isExternal
MicrosoftCloudAppSecurity.UsersAccounts.emailStringUsersAccounts email
MicrosoftCloudAppSecurity.UsersAccounts.roleStringUsersAccounts role
MicrosoftCloudAppSecurity.UsersAccounts.organizationUnknownUsersAccounts organization
MicrosoftCloudAppSecurity.UsersAccounts.lastSeenUnknownUsersAccounts lastSeen
MicrosoftCloudAppSecurity.UsersAccounts.domainStringUsersAccounts domain
MicrosoftCloudAppSecurity.UsersAccounts.threatScoreUnknownUsersAccounts threatScore
MicrosoftCloudAppSecurity.UsersAccounts.idTypeNumberUsersAccounts idType
MicrosoftCloudAppSecurity.UsersAccounts.isFakeNumberUsersAccounts isFake
MicrosoftCloudAppSecurity.UsersAccounts.usernameStringUsersAccounts username
MicrosoftCloudAppSecurity.UsersAccounts.actions.task_nameStringUsersAccounts actions task_name
MicrosoftCloudAppSecurity.UsersAccounts.actions.typeStringUsersAccounts actions type
MicrosoftCloudAppSecurity.UsersAccounts.accounts._idStringUsersAccounts accounts _id
MicrosoftCloudAppSecurity.UsersAccounts.accounts.instNumberUsersAccounts accounts inst
MicrosoftCloudAppSecurity.UsersAccounts.accounts.saasNumberUsersAccounts accounts saas
MicrosoftCloudAppSecurity.UsersAccounts.accounts.dnStringUsersAccounts accounts dn
MicrosoftCloudAppSecurity.UsersAccounts.accounts.aliasesStringUsersAccounts accounts aliases
MicrosoftCloudAppSecurity.UsersAccounts.accounts.isFakeNumberUsersAccounts accounts isFake
MicrosoftCloudAppSecurity.UsersAccounts.accounts.emUnknownUsersAccounts accounts email
MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.task_nameStringUsersAccounts accounts actions task_name
MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.typeStringUsersAccounts accounts actions type
MicrosoftCloudAppSecurity.UsersAccounts.userGroups._idStringUsersAccounts userGroups _id
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.idStringUsersAccounts userGroups id
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.nameStringUsersAccounts userGroups name
MicrosoftCloudAppSecurity.UsersAccounts.userGroups.usersCountNumberUsersAccounts userGroups usersCount

Command Example

!microsoft-cas-users-accounts-list

Context Example

Human Readable Output

Results

display_namelast_seenis_adminis_externalemailusername
Cloud App Security Service Account for SharePoint2020-07-28T09:18:39.301Zfalsefalsetmcassp_fa02d7a6fe55edb22020060112572594@demistodev.onmicrosoft.com{"id": "9aa388ae-d7ad-4f38-af49-aeac04433eb7", "saas": 11161, "inst": 0}
MS Graph User DEV2020-07-28T05:34:24Zfalsetrue{"id": "954d66fa-f865-493c-b1cb-c19d60613e54", "saas": 11161, "inst": 0}
MS Graph Groups2020-07-28T01:43:12Zfalsetrue{"id": "7e14f6a3-185d-49e3-85e8-40a33d90dc90", "saas": 11161, "inst": 0}
MS Graph Groups DEV2020-07-28T01:42:36Zfalsetrue{"id": "9de2d7c5-45a6-4b98-b283-d94e912023e1", "saas": 11161, "inst": 0}
Microsoft Approval Management2020-07-28T01:42:07Zfalsefalse{"id": "65d91a3d-ab74-42e6-8a2f-0add61688c74", "saas": 11161, "inst": 0}
MS Graph User2020-07-28T01:42:07Zfalsetrue{"id": "d7508c5c-988b-485e-93c3-da7d658844d0", "saas": 11161, "inst": 0}
Avishai Brandeis2020-07-27T13:05:21.508Ztruefalseavishai@demistodev.onmicrosoft.com{"id": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2", "saas": 11161, "inst": 0}
Cloud App Security2020-07-27T10:36:02.246Zfalsefalse{"id": "Cloud App Security", "saas": 11161, "inst": 0}
Lance Pettay2020-07-24T17:52:33.096Ztruefalselpettay@demistodev.onmicrosoft.com{"id": "3987137d-eb30-4cc9-baef-d84915c6912f", "saas": 11161, "inst": 0}
AAD App Management2020-07-24T16:31:08Zfalsefalse{"id": "f0ae4899-d877-4d3c-ae25-679e38eea492", "saas": 11161, "inst": 0}
Microsoft Exchange Online Protection2020-07-23T09:01:52Zfalsefalse{"id": "00000007-0000-0ff1-ce00-000000000000", "saas": 11161, "inst": 0}
Device Registration Service2020-07-19T22:59:52Zfalsefalse{"id": "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9", "saas": 11161, "inst": 0}
Microsoft Intune2020-07-15T14:46:07Zfalsefalse{"id": "0000000a-0000-0000-c000-000000000000", "saas": 11161, "inst": 0}
Trend Micro Cloud App Security2020-07-15T08:42:20Zfalsetrue{"id": "32eb7c81-01f8-4f56-b847-687b755fb160", "saas": 11161, "inst": 0}
Windows Azure Service Management API2020-07-10T14:33:09Zfalsefalse{"id": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "saas": 11161, "inst": 0}
Eran Korish2020-07-06T08:06:17.116Zfalsefalseeran@demistodev.onmicrosoft.com{"id": "e2397ddc-d33f-4324-a6d4-5955ae199903", "saas": 11161, "inst": 0}
Azure Resource Graph2020-07-05T23:50:54.723Zfalsefalse{"id": "509e4652-da8d-478d-a730-e9d4a1996ca4", "saas": 11161, "inst": 0}
demisto dev2020-07-05T13:19:55Ztruefalsedev@demistodev.onmicrosoft.com{"id": "2827c1e7-edb6-4529-b50d-25984e968637", "saas": 11161, "inst": 0}
Media Analysis and Transformation Service2020-07-05T09:12:37Zfalsefalse{"id": "944f0bd1-117b-4b1c-af26-804ed95e767e", "saas": 11161, "inst": 0}
Office 365 SharePoint Online2020-07-05T09:12:30Zfalsefalse{"id": "00000003-0000-0ff1-ce00-000000000000", "saas": 11161, "inst": 0}
MS Graph Files2020-06-30T09:11:49Zfalsetrue{"id": "6b495fcf-df22-4544-99a3-97d384764d79", "saas": 11161, "inst": 0}
MS Graph Files Dev2020-06-30T09:09:56Zfalsetrue{"id": "2c160fab-7040-4f08-bec2-8ce97e9cc435", "saas": 11161, "inst": 0}
lior kolnik2020-06-30T08:13:48Zfalsefalseliork@demistodev.onmicrosoft.com{"id": "023096d0-595e-47b5-80dd-ea5886ab9294", "saas": 11161, "inst": 0}
sr test022020-06-30T00:13:44Zfalsefalsesr-test02@demistodev.onmicrosoft.com{"id": "9702a3de-f219-425b-b0ef-9c343b786030", "saas": 11161, "inst": 0}
SecurityCenter2020-05-17T08:30:13.957Zfalsetrue{"id": "8ccae514-af28-4b44-9f19-386428b3811c", "saas": 11161, "inst": 0}
Managed Disks Resource Provider2020-05-05T07:56:05.291Zfalsefalse{"id": "60e6cd67-9c8c-4951-9b3c-23c25a2169af", "saas": 11161, "inst": 0}
Microsoft Azure Policy Insights2020-03-17T01:48:21.101Zfalsefalse{"id": "1d78a85d-813d-46f0-b496-dd72f50a3ec0", "saas": 11161, "inst": 0}
Azure Security Center2020-03-17T00:36:01.976Zfalsetrue{"id": "61f36b84-ce6b-4ca8-9d55-744e3d8d2152", "saas": 11161, "inst": 0}
Azure Compute2020-03-17T00:34:32.951Zfalsetrue{"id": "e16945f4-e521-4da9-87f5-8d14b008aa78", "saas": 11161, "inst": 0}
AzureCompute2020-03-17T00:33:19.047Zfalsetrue{"id": "9ead7552-8ee2-47e1-b435-fcff173735a5", "saas": 11161, "inst": 0}
Logs Analysis testtruefalselogs@demistodev.onmicrosoft.com{"id": "5d9ed8e5-be5c-4aaf-86f8-c133c5cd19de", "saas": 11161, "inst": 0}
Microsoft.Azure.GraphExplorerfalsefalse{"id": "0000000f-0000-0000-c000-000000000000", "saas": 11161, "inst": 0}
Itay Kerentruefalseitay@demistodev.onmicrosoft.com{"id": "8918c390-35b8-42c3-83f1-8352e0e9df65", "saas": 11161, "inst": 0}
Azure Classic Portalfalsefalse{"id": "00000013-0000-0000-c000-000000000000", "saas": 11161, "inst": 0}
van Helsingtruefalsevanhelsing@demistodev.onmicrosoft.com{"id": "21395465-a687-4d0f-9ea6-b0bd39531c47", "saas": 11161, "inst": 0}
Microsoft App Access Panelfalsefalse{"id": "0000000c-0000-0000-c000-000000000000", "saas": 11161, "inst": 0}
svctruefalsesvc@demistodev.onmicrosoft.com{"id": "e8a03722-99a2-4b26-bde4-836e8a8e30c9", "saas": 11161, "inst": 0}
Yammerfalsefalse{"id": "00000005-0000-0ff1-ce00-000000000000", "saas": 11161, "inst": 0}
ServiceAccount1truefalseserviceaccount1@demistodev.onmicrosoft.com{"id": "70585180-517a-43ea-9403-2d80b97ab19d", "saas": 11161, "inst": 0}
Power BI Servicefalsefalse{"id": "00000009-0000-0000-c000-000000000000", "saas": 11161, "inst": 0}
itayadmintruefalseitayadmin@demistodev.onmicrosoft.com{"id": "5d8d8aad-14ab-4683-aa57-fa37642599a4", "saas": 11161, "inst": 0}
Microsoft Office Web Apps Servicefalsefalse{"id": "67e3df25-268a-4324-a550-0de1c7f97287", "saas": 11161, "inst": 0}
Jochmantruefalsejochman@demistodev.onmicrosoft.com{"id": "fc3aea12-f19f-461e-b62b-25ee818deb6d", "saas": 11161, "inst": 0}
Skype for Business Onlinefalsefalse{"id": "00000004-0000-0ff1-ce00-000000000000", "saas": 11161, "inst": 0}
Tsach zimmerfalsefalsetsach@demistodev.onmicrosoft.com{"id": "259d2a3c-167b-411c-b2ee-88646ce6e054", "saas": 11161, "inst": 0}
Office 365 Exchange Onlinefalsefalse{"id": "00000002-0000-0ff1-ce00-000000000000", "saas": 11161, "inst": 0}
Guy Lichtmanfalsefalselichtman@demistodev.onmicrosoft.com{"id": "3a6efd73-b4bb-4ef6-b0ed-2c76f043dba4", "saas": 11161, "inst": 0}
Microsoft.ExtensibleRealUserMonitoringfalsefalse{"id": "e3583ad2-c781-4224-9b91-ad15a8179ba0", "saas": 11161, "inst": 0}
Bar Katzirfalsefalsebkatzir@demistodev.onmicrosoft.com{"id": "7bd0dd8e-7d2f-4ace-af36-19f91a670281", "saas": 11161, "inst": 0}
Microsoft Office 365 Portalfalsefalse{"id": "00000006-0000-0ff1-ce00-000000000000", "saas": 11161, "inst": 0}