Microsoft Defender for Cloud Apps
This Integration is part of the Microsoft Defender for Cloud Apps Pack.#
Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts. This integration was integrated and tested with version 178 of MicrosoftCloudAppSecurity.
- Device Code Flow.
- Client Credentials Flow.
- By token (legacy method).
Device Code Flow#
To use a Device Code Flow, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article.
To connect to the Microsoft Cloud App Security:
- Fill in the required parameters.
- Run the !microsoft-cas-auth-start command.
- Follow the instructions that appear.
- Run the !microsoft-cas-auth-complete command.
At the end of the process you'll see a message that you've logged in successfully.
Client Credentials Flow#
Follow these steps for a self-deployed configuration:
- To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article.
- In the instance configuration, select in the Authentication Mode parameter Client Credentials.
- Enter your Client/Application ID in the Application ID parameter.
- Enter your Client Secret in the Password parameter.
- Enter your Tenant ID in the Tenant ID parameter.
Required Permissions#
Make sure to provide the following permissions for the app to work with Microsoft Cloud App Security:
- Discovery.manage, Investigation.read - https://learn.microsoft.com/en-us/defender-cloud-apps/api-authentication-application#supported-permission-scopes
- offline_access - when using the Device Code flow.
By token (legacy method)#
To access the Microsoft Cloud App Security API, you need to grant authorization. See the Microsoft documentation to view a detailed explanation of how to create the Server URL and User key (token).
For more information about which permissions are required for the token owner in Microsoft Cloud App Security, see Microsoft Cloud App Security - Manage admin access.
Configure MicrosoftCloudAppSecurity on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for MicrosoftCloudAppSecurity.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Endpoint Type The endpoint for accessing Microsoft Defender for Cloud Applications (MCAS), see table below. Worldwide Server URL (e.g., https://example.net\) In the Security Center, go to Settings > Clod Apps > About tab, where the API URL is displayed. True Authentication Mode False User's key to access the API False Application ID False Tenant ID (for Client Credentials mode) False Fetch incidents False Incident type False Trust any certificate (not secure) False Use system proxy settings False Incident severity False Maximum alerts to fetch False First fetch time First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False Incident resolution status False Custom Filter A custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters from the integration instance configuration. An example of a Custom Filter is: {"severity":{"eq":2}}. Note that for filtering by "entity.policy", you should use the ID of the policy. For example, for retrieving the policy: {"policyType": "ANOMALY_DETECTION", "id": "1234", "label": "Impossible travel", "type": "policyRule"}" please query on {"entity.policy":{"eq":1234}}. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-alerts#filters. False Advanced: Minutes to look back when fetching Use this parameter to determine how long backward to look in the search for incidents to ensure collecting all incidents. False Endpoint Type options
Endpoint Type Description Worldwide The publicly accessible Microsoft Defender for Cloud Applications US GCC Microsoft Defender for Cloud Applications for the USA Government Cloud Community (GCC) US GCC-High Microsoft Defender for Cloud Applications for the USA Government Cloud Community High (GCC-High) Click Test to validate the URLs, token, and connection.
Look-back parameter note#
In case the look-back parameter is initialized with a certain value and during a time that incidents were fetched, if changing the look back to a number that is greater than the previous value, then in the next fetch there might be incidents duplications.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
microsoft-cas-auth-start#
Run this command to start the authorization process and follow the instructions in the command results. (for device-code mode)
Base Command#
microsoft-cas-auth-start
Input#
There are no input arguments for this command.
Context Output#
There is no context output for this command.
Command Example#
!microsoft-cas-auth-start
Human Readable Output#
###Authorization instructions
- To sign in, use a web browser to open the page {URL} and enter the code {code} to authenticate.
- Run the !microsoft-cas-auth-complete command in the War Room.
microsoft-cas-auth-complete#
Run this command to complete the authorization process. Should be used after running the microsoft-cas-auth-start command. (for device-code mode)
Base Command#
microsoft-cas-auth-complete
Input#
There are no input arguments for this command.
Context Output#
There is no context output for this command.
Command Example#
!microsoft-cas-auth-complete
Human Readable Output#
โ Authorization completed successfully.
microsoft-cas-auth-reset#
Run this command if for some reason you need to rerun the authentication process.
Base Command#
microsoft-cas-auth-reset
Input#
There are no input arguments for this command.
Context Output#
There is no context output for this command.
Command Example#
!microsoft-cas-auth-reset
Human Readable Output#
Authorization was reset successfully. You can now run !microsoft-cas-auth-start and !microsoft-cas-auth-complete.
microsoft-cas-auth-test#
Tests the connectivity to the Microsoft cas.
Base Command#
microsoft-cas-auth-test
Input#
There are no input arguments for this command.
Context Output#
There is no context output for this command.
Command Example#
!microsoft-cas-auth-test
Human Readable Output#
โ Success!
microsoft-cas-alerts-list#
Returns a list of alerts that match the specified filters.
Base Command#
microsoft-cas-alerts-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| skip | Skips the specified number of records. | Optional |
| limit | The maximum number of records to return. Default is 50. Default is 50. | Optional |
| severity | The severity of the alert. Possible values are: "Low", "Medium", and "High". Possible values are: Low, Medium, High. | Optional |
| resolution_status | The alert resolution status. Possible values are: "Open", "Dismissed", and "Resolved". Possible values are: Open, Dismissed, Resolved. | Optional |
| custom_filter | A custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-alerts#filters. | Optional |
| alert_id | The alert ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| MicrosoftCloudAppSecurity.Alerts._id | String | The alert ID. |
| MicrosoftCloudAppSecurity.Alerts.timestamp | Date | The time the alert was created. |
| MicrosoftCloudAppSecurity.Alerts.policyRule.id | String | The ID of the rule that triggered the alert. |
| MicrosoftCloudAppSecurity.Alerts.policyRule.label | String | The label of the rule that triggered the alert. |
| MicrosoftCloudAppSecurity.Alerts.policyRule.type | String | The type of rule that triggered the alert. |
| MicrosoftCloudAppSecurity.Alerts.policyRule.policyType | String | The policy type of the rule that triggered the alert. |
| MicrosoftCloudAppSecurity.Alerts.service.id | Number | The cloud service ID. |
| MicrosoftCloudAppSecurity.Alerts.service.label | String | The cloud service name. |
| MicrosoftCloudAppSecurity.Alerts.service.type | String | The cloud service type. |
| MicrosoftCloudAppSecurity.Alerts.file.id | String | The ID of the alert file. |
| MicrosoftCloudAppSecurity.Alerts.file.label | String | THe label of the alert file. |
| MicrosoftCloudAppSecurity.Alerts.file.type | String | The alert file type. |
| MicrosoftCloudAppSecurity.Alerts.user.id | String | The ID of the user who received the alert. |
| MicrosoftCloudAppSecurity.Alerts.user.label | String | The label of the user who received the alert. |
| MicrosoftCloudAppSecurity.Alerts.user.type | String | The type of the user who received the alert. |
| MicrosoftCloudAppSecurity.Alerts.country.id | String | The country ID where the alert originated. |
| MicrosoftCloudAppSecurity.Alerts.country.label | String | The country label where the alert originated. |
| MicrosoftCloudAppSecurity.Alerts.country.type | String | The country type where the alert originated. |
| MicrosoftCloudAppSecurity.Alerts.ip.id | String | The IP address where the alert came. |
| MicrosoftCloudAppSecurity.Alerts.ip.label | String | The IP label where the alert came. |
| MicrosoftCloudAppSecurity.Alerts.ip.type | String | The IP type where the alert came. |
| MicrosoftCloudAppSecurity.Alerts.ip.triggeredAlert | Boolean | Whether this IP address triggered the alert. |
| MicrosoftCloudAppSecurity.Alerts.account.id | String | The ID of the account that received the alert. |
| MicrosoftCloudAppSecurity.Alerts.account.label | String | The label of the account that received the alert. |
| MicrosoftCloudAppSecurity.Alerts.account.type | String | The type of the account that received the alert. |
| MicrosoftCloudAppSecurity.Alerts.account.inst | Number | The instance of the account that received the alert. |
| MicrosoftCloudAppSecurity.Alerts.account.saas | Number | The service of the account that received the alert. |
| MicrosoftCloudAppSecurity.Alerts.account.pa | String | The email of the account that received the alert. |
| MicrosoftCloudAppSecurity.Alerts.account.entityType | Number | The entity type of the account that received the alert. |
| MicrosoftCloudAppSecurity.Alerts.title | String | The title of the alert. |
| MicrosoftCloudAppSecurity.Alerts.description | String | The description of the alert. |
| MicrosoftCloudAppSecurity.Alerts.policy.id | String | The ID of the reason (policy) that explains why the alert was triggered. |
| MicrosoftCloudAppSecurity.Alerts.policy.label | String | The label of the reason (policy) that explains why the alert was triggered. |
| MicrosoftCloudAppSecurity.Alerts.policy.policyType | String | The policy type of the reason (policy) that explains why the alert was triggered. |
| MicrosoftCloudAppSecurity.Alerts.threatScore | Number | The threat score of the alert. |
| MicrosoftCloudAppSecurity.Alerts.isSystemAlert | Boolean | Whether it is a system alert. |
| MicrosoftCloudAppSecurity.Alerts.statusValue | Number | The status value of the alert. |
| MicrosoftCloudAppSecurity.Alerts.severityValue | Number | The severity value of the alert. |
| MicrosoftCloudAppSecurity.Alerts.handledByUser | String | The user who handled the alert. |
| MicrosoftCloudAppSecurity.Alerts.comment | String | The comment relating to the alert. |
| MicrosoftCloudAppSecurity.Alerts.resolveTime | Date | The date/time that the alert was resolved. |
Command Example#
``!microsoft-cas-alerts-list custom_filter={"filters": {"date": {"gte_ndays":30}}, "limit": "3"}````
Context Example#
Human Readable Output#
Microsoft CAS Alerts#
alert_id alert_date title description status_value severity_value is_open 60edead2cdbeaf0b87e13377 2021-07-13T16:18:15.126000 Impossible travel activity The user John Example (john@example.onmicrosoft.com) perform failed sign in activities from remote locations that are considered an impossible travel activity.
The user performed failed sign in activities from 1.2.3.6 in Netherlands and 1.2.3.4 in Israel within 96 minutes.
If these are IP addresses that are known and safe, add them in the IP address range page to improve the accuracy of the alerts.N/A Medium true 60eda688cdbeaf0b87f5a41e 2021-07-13T14:41:37.290000 Risky sign-in: Unfamiliar sign-in properties John Example performed a risky sign-in.
Unfamiliar sign-in properties
Sign-in with properties we have not seen recently for the given userN/A High true 60eaf3cccdbeaf0b87d1a775 2021-07-11T09:30:05.942000 Suspicious administrative activity The user "John Example (john@example.onmicrosoft.com)" performed more than 214 administrative activities in a single session.
N/A Medium false
microsoft-cas-alert-close-benign#
An alert on a suspicious but not malicious activity, such as a penetration test or other authorized suspicious action
Base Command#
microsoft-cas-alert-close-benign
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_ids | A comma-separated list of alerts matching the specified filters. Alert_id should appear similar to - "1234567890abcdefg". Mandatory, unless you use a custom filter. | Optional |
| custom_filter | A custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | Optional |
| comment | Comment describing why the alerts were dismissed. | Optional |
| reason | The reason for closing the alerts as benign. Providing a reason helps improve the accuracy of the detection over time. Possible values include: Actual severity is lower Other Confirmed with end user Triggered by test. Possible values are: Actual severity is lower, Other, Confirmed with end user, Triggered by test. | Optional |
| sendFeedback | Whether feedback about this alert is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false. | Optional |
| feedbackText | The text of the feedback. | Optional |
| allowContact | Whether consent to contact the user is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false. | Optional |
| contactEmail | The email address of the user. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!microsoft-cas-alert-close-benign alert_ids=60eaf3cccdbeaf0b87d1a775
Human Readable Output#
1 alerts were closed as benign.
microsoft-cas-alert-close-true-positive#
Cึนlose multiple alerts matching the specified filters as true positive (an alert on a confirmed malicious activity.
Base Command#
microsoft-cas-alert-close-true-positive
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_ids | A comma-separated list of alerts matching the specified filters. Alert_id should appear similar to - "1234567890abcdefg". Mandatory, unless you use a custom filter. | Optional |
| custom_filter | A custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | Optional |
| comment | Comment describing why the alerts were dismissed. | Optional |
| sendFeedback | Whether feedback about this alert is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false. | Optional |
| feedbackText | The text of the feedback. | Optional |
| allowContact | Whether consent to contact the user is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false. | Optional |
| contactEmail | The email address of the user. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!microsoft-cas-alert-close-true-positive alert_ids=60ced07dcdbeaf0b876fc7d3
Human Readable Output#
1 alerts were closed as true-positive.
microsoft-cas-alert-close-false-positive#
Close multiple alerts matching the specified filters as false positive (an alert on a non-malicious activity).
Base Command#
microsoft-cas-alert-close-false-positive
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_ids | A comma-separated list of alerts matching the specified filters. Alert_id should appear similar to - "1234567890abcdefg". Mandatory, unless you use a custom filter. | Optional |
| custom_filter | A custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | Optional |
| comment | Comment describing why the alerts were dismissed. Default is None. | Optional |
| reason | The reason for closing the alerts as false positive. Providing a reason helps improve the accuracy of the detection over time. Possible values include: Not of interest Too many similar alerts Alert is not accurate Other. Possible values are: Not of interest, Too many similar alerts, Alert is not accurate, Other. | Optional |
| sendFeedback | Whether feedback about this alert is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false. | Optional |
| feedbackText | The text of the feedback. | Optional |
| allowContact | Whether consent to contact the user is provided. Possible values: "false" and "true". Possible values are: false, true. Default is false. | Optional |
| contactEmail | The email address of the user. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!microsoft-cas-alert-close-false-positive alert_ids=60cf6d10cdbeaf0b87acdfa9 reason="Alert is not accurate"
Human Readable Output#
1 alerts were closed as false-positive.
microsoft-cas-activities-list#
Returns a list of activities that match the specified filters.
Base Command#
microsoft-cas-activities-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| skip | The number of records to skip. Default is 50. | Optional |
| limit | Maximum number of records returned to the user. Default is 50. | Optional |
| ip | The origin of the specified IP address. | Optional |
| ip_category | The subnet categories. Valid values are: "Corporate", "Administrative", "Risky", "VPN", "Cloud_provider", and "Other". Possible values are: Corporate, Administrative, Risky, VPN, Cloud_provider, Other. | Optional |
| taken_action | The actions taken on activities. Valid values are: "block", "proxy", "BypassProxy", "encrypt", "decrypt", "verified", "encryptionFailed", "protect", "verify", and "null". Possible values are: block, proxy, BypassProxy, encrypt, decrypt, verified, encryptionFailed, protect, verify. | Optional |
| source | The source type. Valid values are: "Access_control", "Session_control", "App_connector", "App_connector_analysis", "Discovery", and "MDATP". Possible values are: Access_control, Session_control, App_connector, App_connector_analysis, Discovery, MDATP. | Optional |
| custom_filter | A custom filter by which to filter the returned activities. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | Optional |
| activity_id | The ID of the activity. | Optional |
| timeout | Timeout of the request to Microsoft CAS, in seconds. Default is 60 seconds. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| IP.Address | String | IP address. |
| IP.Geo.Location | String | The geolocation where the IP address is located, in the format: latitude:longitude. |
| MicrosoftCloudAppSecurity.Activities._id | String | The ID of the activity. |
| MicrosoftCloudAppSecurity.Activities.saasId | Number | The ID of the cloud service. |
| MicrosoftCloudAppSecurity.Activities.timestamp | Date | The time the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.instantiation | Date | The instantiation of the activity. |
| MicrosoftCloudAppSecurity.Activities.created | Date | The time the activity was created. |
| MicrosoftCloudAppSecurity.Activities.eventTypeValue | String | The event type of the activity. |
| MicrosoftCloudAppSecurity.Activities.device.clientIP | String | The device client IP address of the activity. |
| MicrosoftCloudAppSecurity.Activities.device.userAgent | String | The user agent of the activity. |
| MicrosoftCloudAppSecurity.Activities.device.countryCode | String | The country code (name) of the device. |
| MicrosoftCloudAppSecurity.Activities.location.countryCode | String | The country code (name) of the activity. |
| MicrosoftCloudAppSecurity.Activities.location.city | String | The city of the activity. |
| MicrosoftCloudAppSecurity.Activities.location.region | String | The region of the activity. |
| MicrosoftCloudAppSecurity.Activities.location.longitude | Number | The longitude of the activity. |
| MicrosoftCloudAppSecurity.Activities.location.latitude | Number | The latitude of the activity. |
| MicrosoftCloudAppSecurity.Activities.location.categoryValue | String | The category value of the activity. |
| MicrosoftCloudAppSecurity.Activities.user.userName | String | The username associated with the activity. |
| MicrosoftCloudAppSecurity.Activities.userAgent.family | String | The family of the system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.name | String | The name of the system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.name | String | The name of the operating system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.operatingSystem.family | String | The family of the operating system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.type | String | The type of the system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.typeName | String | The name of the type of the system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.version | String | The version of the system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.deviceType | String | The device type of the system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.nativeBrowser | Boolean | The native browser type of the system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.os | String | The operating system in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.userAgent.browser | String | The browser in which the activity occurred. |
| MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.instanceId | Number | The ID of the instance of the event objects. |
| MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.saasId | Number | The ID of the cloud service of the event objects. |
| MicrosoftCloudAppSecurity.Activities.mainInfo.eventObjects.id | String | The ID of the event objects. |
| MicrosoftCloudAppSecurity.Activities.mainInfo.activityResult.isSuccess | Boolean | Whether the activities were successful. |
| MicrosoftCloudAppSecurity.Activities.mainInfo.type | String | The type of activity. |
| MicrosoftCloudAppSecurity.Activities.confidenceLevel | Number | The confidence level of the activity. |
| MicrosoftCloudAppSecurity.Activities.resolvedActor.id | String | The user ID of the activity. |
| MicrosoftCloudAppSecurity.Activities.resolvedActor.saasId | String | The user cloud service ID of the activity. |
| MicrosoftCloudAppSecurity.Activities.resolvedActor.instanceId | String | The user instance ID of the activity. |
| MicrosoftCloudAppSecurity.Activities.resolvedActor.name | String | The username of the activity. |
| MicrosoftCloudAppSecurity.Activities.eventTypeName | String | The event that triggered the activity. |
| MicrosoftCloudAppSecurity.Activities.classifications | String | The classifications of the activity. |
| MicrosoftCloudAppSecurity.Activities.entityData.displayName | String | The display name of entity activity. |
| MicrosoftCloudAppSecurity.Activities.entityData.id.id | String | The ID of the entity activity. |
| MicrosoftCloudAppSecurity.Activities.entityData.resolved | Boolean | Whether the entity was resolved. |
| MicrosoftCloudAppSecurity.Activities.description | String | The description of the activity. |
| MicrosoftCloudAppSecurity.Activities.genericEventType | String | The generic event type of the activity. |
| MicrosoftCloudAppSecurity.Activities.severity | String | The severity of the activity. |
Command Example#
!microsoft-cas-activities-list limit=4
Context Example#
Human Readable Output#
Microsoft CAS Activity#
activity_id activity_date app_name description severity 4b23b9daccf2604cec7fc8654bd98480707b0114450dac11c4a9feab98ca2499 2021-07-13T17:26:14.610000 Office 365 Failed log on (Failure message: Session information is not sufficient for single-sign-on.) INFO
microsoft-cas-files-list#
Returns a list of files that match the specified filters. Filters include file type, file share value, file extension, file quarantine status, and a custom filter. If you pass the custom_filter argument it will override the other filters in this command. Note: This command is supported only when using the legacy authentication.
Base Command#
microsoft-cas-files-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| skip | Skips the specified number of records. Default is 50. | Optional |
| limit | Maximum number of records to return. Default is 50. | Optional |
| file_type | The file type. Valid value are: Other, Document, Spreadsheet, Presentation, Text, Image, and Folder. Possible values are: Other, Document, Spreadsheet, Presentation, Text, Image, Folder. | Optional |
| sharing | Filter files with the specified sharing levels. Valid values are: Private, Internal, External, Public, Public_Internet. Possible values are: Private, Internal, External, Public, Public_Internet. | Optional |
| extension | Filter files by the specified file extension. | Optional |
| quarantined | Filter by whether the file is quarantined. Valid values are: "True" or "False". Possible values are: True, False. | Optional |
| custom_filter | A custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | Optional |
| file_id | Filter by the file ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| MicrosoftCloudAppSecurity.Files._id | String | The ID of the file. |
| MicrosoftCloudAppSecurity.Files.saasId | Number | The cloud service ID of the file. |
| MicrosoftCloudAppSecurity.Files.instId | Number | The instance ID of the file. |
| MicrosoftCloudAppSecurity.Files.fileSize | Number | The size of the file. |
| MicrosoftCloudAppSecurity.Files.createdDate | Date | The date the file was created. |
| MicrosoftCloudAppSecurity.Files.modifiedDate | Date | The date the file was last modified. |
| MicrosoftCloudAppSecurity.Files.parentId | String | The parent ID of the file. |
| MicrosoftCloudAppSecurity.Files.ownerName | String | The name of the file owner. |
| MicrosoftCloudAppSecurity.Files.isFolder | Boolean | Whether the file is a folder. |
| MicrosoftCloudAppSecurity.Files.fileType | String | The file type. |
| MicrosoftCloudAppSecurity.Files.name | String | The name of the file. |
| MicrosoftCloudAppSecurity.Files.isForeign | Boolean | Whether the file is foreign. |
| MicrosoftCloudAppSecurity.Files.noGovernance | Boolean | Whether the file is no governance. |
| MicrosoftCloudAppSecurity.Files.fileAccessLevel | String | The access level of the file. |
| MicrosoftCloudAppSecurity.Files.ownerAddress | String | The email address of the file owner. |
| MicrosoftCloudAppSecurity.Files.externalShares | String | The external shares of the file. |
| MicrosoftCloudAppSecurity.Files.domains | String | The domains of the file. |
| MicrosoftCloudAppSecurity.Files.mimeType | String | The mime type of the file. |
| MicrosoftCloudAppSecurity.Files.ownerExternal | Boolean | Whether the owner of this file is external. |
| MicrosoftCloudAppSecurity.Files.fileExtension | String | The file extension. |
| MicrosoftCloudAppSecurity.Files.groupIds | String | The group IDs of the file. |
| MicrosoftCloudAppSecurity.Files.groups | String | The group the file belongs to. |
| MicrosoftCloudAppSecurity.Files.collaborators | String | The collaborators of the file. |
| MicrosoftCloudAppSecurity.Files.fileStatus | String | The status of the file. |
| MicrosoftCloudAppSecurity.Files.appName | String | The name of the app. |
| MicrosoftCloudAppSecurity.Files.actions.task_name | String | The name of the task. |
| MicrosoftCloudAppSecurity.Files.actions.type | String | The type of actions taken on the file. |
Command Example#
!microsoft-cas-files-list file_type=Text skip=4 limit=5
Context Example#
Human Readable Output#
Microsoft CAS Files#
owner_name file_id file_type file_name file_access_level file_status app_name John Example 5f60838dc3b664209dab9a97 TEXT 20200525154133.JPG.txt PRIVATE EXISTS Microsoft OneDrive for Business John Example 5f39f079c3b664209de9c64c TEXT WhatsApp Image 2020-08-02 at 11.04.46.jpeg.txt PRIVATE EXISTS Microsoft OneDrive for Business John Example 5f306f37c3b664209d444bf2 TEXT 20180726150700.JPG.txt PRIVATE EXISTS Microsoft OneDrive for Business John Example 5f306f6ec3b664209d5013d3 TEXT 20180802_144154.jpg.txt PRIVATE EXISTS Microsoft OneDrive for Business John Example 5f306ef5c3b664209d36d024 TEXT 20170813_125133.jpg.txt PRIVATE EXISTS Microsoft OneDrive for Business
microsoft-cas-users-accounts-list#
Returns a list of user accounts that match the specified filters. Filters include user account type, group ID, external/internal, user account status, and custom filter. The accounts object schema includes information about how users and accounts use your organization's cloud apps.
Base Command#
microsoft-cas-users-accounts-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| skip | The number of records to skip. | Optional |
| limit | The maximum number of records to return. Default is 50. Possible values are: . Default is 50. | Optional |
| type | The type by which to filter the information about the user accounts. | Optional |
| group_id | The group ID by which to filter the information about the user accounts. | Optional |
| is_admin | Filter the user accounts that are defined as admins. | Optional |
| is_external | The affiliation of the user accounts. Valid values are: "External", "Internal", and "No_value". Possible values are: External, Internal, No_value. | Optional |
| status | The status by which to filter the information about the user accounts. Valid values are: "N/A", "Staged", "Active", "Suspended", and "Deleted". Possible values are: N/A, Staged, Active, Suspended, Deleted. | Optional |
| custom_filter | A custom filter by which to filter the returned files. If you pass the custom_filter argument it will override the other filters in this command. For more information about filter syntax, refer to https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| MicrosoftCloudAppSecurity.UsersAccounts.displayName | String | The display name of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.id | String | The ID of the user account in the product. |
| MicrosoftCloudAppSecurity.UsersAccounts._id | String | The ID of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.isAdmin | Boolean | Whether the user account has admin privileges. |
| MicrosoftCloudAppSecurity.UsersAccounts.isExternal | Boolean | Whether the user account is external. |
| MicrosoftCloudAppSecurity.UsersAccounts.email | String | The email address of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.role | String | The role of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.organization | String | The organization to which the user account belongs. |
| MicrosoftCloudAppSecurity.UsersAccounts.lastSeen | Unknown | The date the user account was last active. |
| MicrosoftCloudAppSecurity.UsersAccounts.domain | String | The domain of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.threatScore | Unknown | The threat score of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.idType | Number | The ID type (number) of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.isFake | Boolean | Whether the user account is marked as fake. |
| MicrosoftCloudAppSecurity.UsersAccounts.username | String | The username of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.actions.task_name | String | The task name of the action of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.actions.type | String | The type of action of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts._id | String | The account ID of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.inst | Number | The number of instances of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.saas | Number | The cloud services of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.dn | String | The domain name of the cloud services of the user accounts. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.aliases | String | The user account aliases. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.isFake | Boolean | Whether the user account is marked as fake. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.em | Unknown | The email address of the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.task_name | String | The task name of the action. |
| MicrosoftCloudAppSecurity.UsersAccounts.accounts.actions.type | String | The type of the action. |
| MicrosoftCloudAppSecurity.UsersAccounts.userGroups._id | String | The ID of the user group for the user account. |
| MicrosoftCloudAppSecurity.UsersAccounts.userGroups.id | String | The ID of the user group in the product. |
| MicrosoftCloudAppSecurity.UsersAccounts.userGroups.name | String | The name of the user group. |
| MicrosoftCloudAppSecurity.UsersAccounts.userGroups.usersCount | Number | The number of users in the user group. |
Command Example#
!microsoft-cas-users-accounts-list status=Active limit=3
Context Example#
Human Readable Output#
Microsoft CAS Users And Accounts#
display_name is_admin is_external 365 Defender Dev false true AAD App Management false false AAD Request Verification Service - PROD false false