Skip to main content

Microsoft Defender for Cloud Apps Event Collector

This Integration is part of the Microsoft Defender for Cloud Apps Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Microsoft Defender for Cloud Apps Event Collector integration.

This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.

Configure Microsoft Defender for Cloud Apps Event Collector on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Microsoft Defender for Cloud Apps Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Endpoint TypeThe endpoint for accessing Microsoft Defender for Cloud Applications (MCAS), see table below.Worldwide
    Endpoint URIThe United States: api-us.security.microsoft.com
    Europe: api-eu.security.microsoft.com
    The United Kingdom: api-uk.security.microsoft.com
    True
    Client (Application) IDThe Client (Application) ID to use to connect.True
    Client SecretTrue
    Tenant IDTrue
    ScopeTrue
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Number of alerts for each fetch.Due to API limitations, the maximum is 10,000.False
    Fetch eventsFalse
    Verify SSL CertificateFalse
    Use system proxy settingsFalse
    Event types to fetchTrue

    Endpoint Type options

    Endpoint TypeDescription
    WorldwideThe publicly accessible Microsoft Defender for Cloud Applications
    US GCCMicrosoft Defender for Cloud Applications for the USA Government Cloud Community (GCC)
    US GCC-HighMicrosoft Defender for Cloud Applications for the USA Government Cloud Community High (GCC-High)
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

microsoft-defender-cloud-apps-get-events#


Returns a list of alerts.

Base Command#

microsoft-defender-cloud-apps-get-events

Input#

Argument NameDescriptionRequired
limitThe maximum number of alerts per fetch. Default is 10000.Optional
afterThe first fetch time (<number> <time unit>, for example 12 hours, 1 day, 3 months). Default is 3 days.Optional
push_to_xsiamWhether to push the fetched event to XSIAM or not. Possible values are: false, true. Default is false.Optional

Context Output#

There is no context output for this command.

microsoft-defender-cloud-apps-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

Base Command#

microsoft-defender-cloud-apps-auth-reset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.