Microsoft Cloud App Security
Version: 2.0.0
Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.
Connect Microsoft Cloud App Security with LogicHub
- Navigate to Automations > Integrations.
- Search for Microsoft Cloud App Security.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API URL: URL of API. If you have portal's URL, add the /api suffix to it to obtain your API URL. Example: https://mytenant.us2.contoso.com/api
- Token: Token required for authentication.
- After you've entered all the details, click Connect.
Actions for Microsoft Cloud App Security
List Activities
Fetches a list of activities matching the specified filters.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Filter | Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"activity.id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}} | Required |
Sort Direction | Select the sorting direction (Default is Ascending). | |
Sort Field | Fields used to sort activities (Default is Date). | |
Skip | Skips the specified number of records (Default is 0). | |
Limit | Maximum number of records returned by the request (Default is 100, Max is 100,000). |
Output
Array of activity objects.
{
"_id":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
"aadTenantId":"2d97f757-5a31-46a8-a957-3890738e1a25",
"adallom":{
"agentType":3,
"alertActor":"11161|0|[email protected]",
"alertBulk":false,
"alertDate":"2021-02-11T00:28:50.3780000Z",
"alertMongoId":"60255329369efb920b8e8e4f",
"alertScore":"0",
"alertSeverity":1,
"alertSeverityValue":1,
"alertTimestamp":1613003330378,
"alertTitle":"Impossible travel activity",
"alertTypeId":15859716,
"alertUid":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]",
"allowContact":false,
"bulkId":"60278369aa47e53c2fd5b92a",
"comment":"closed by Indrajeet",
"contactEmail":"[email protected]",
"count":1,
"feedback":"",
"handledByUser":"[email protected]",
"isLegacyAlertStatus":false,
"licenses":[
"AdallomStandalone"
],
"operationTime":1613202281063,
"reasonId":3,
"resolutionStatus":4,
"sendFeedback":false,
"title":"Impossible travel activity"
},
"appId":20595,
"appName":"Microsoft Cloud App Security",
"classifications":[
],
"confidenceLevel":20,
"created":1613202288379,
"createdRaw":1613202288379,
"description":"Close alert as benign: Alert Closed ; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
"description_id":"EVENT_DESCRIPTION_SECURITY_EVENT",
"description_metadata":{
"activity_result_message":"",
"colon":": ",
"dash":"",
"event_category":"Close alert as benign",
"operation_name":"Alert Closed",
"parameters":"; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
"target_object":""
},
"device":{
"clientIP":"52.89.253.223",
"countryCode":"US",
"userAgent":"python-requests/2.25.0"
},
"entityData":{
"0":{
"displayName":"tango bango",
"id":{
"id":"[email protected]",
"inst":0,
"saas":11161
},
"resolved":true
},
"1":null,
"2":{
"displayName":"tango bango",
"id":{
"id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
"inst":0,
"saas":11161
},
"resolved":true
}
},
"error":null,
"eventRouting":{
"adminEvent":true,
"auditing":true,
"scubaUnpacker":false
},
"eventType":917724,
"eventTypeName":"EVENT_CATEGORY_CLOSE_ALERT_BENIGN",
"eventTypeValue":"EVENT_ADALLOM_ALERT_CLOSED_BENIGN",
"genericEventType":"ENUM_ACTIVITY_GENERIC_TYPE_SECURITY_EVENT",
"has_error":false,
"instantiation":1613202288233,
"instantiationRaw":1613202288233,
"internals":{
"otherIPs":[
"52.89.253.223"
]
},
"location":{
"anonymousProxy":false,
"category":5,
"categoryValue":"CLOUD_PROXY_NETWORK_IP",
"city":"boardman",
"countryCode":"US",
"ipTags":[
"000000290000000000000000"
],
"isSatelliteProvider":false,
"latitude":45.73723,
"longitude":-119.81143,
"organizationSearchable":"Amazon Web Services",
"postalCode":"97818",
"region":"oregon"
},
"mainInfo":{
"eventObjects":[
{
"name":"Resolution Status",
"objType":7,
"role":3,
"tags":[
],
"value":"Benign"
},
{
"name":"Alert Title",
"objType":7,
"role":3,
"tags":[
],
"value":"Impossible travel activity"
},
{
"name":"Alert Unique Id",
"objType":7,
"role":3,
"tags":[
],
"value":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]"
},
{
"name":"Handled By User",
"objType":7,
"role":3,
"tags":[
],
"value":"[email protected]"
},
{
"id":"[email protected]",
"instanceId":0,
"link":426759197,
"name":"tango bango",
"objType":21,
"resolved":true,
"role":4,
"saasId":11161,
"tags":[
]
},
{
"id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
"instanceId":0,
"link":426759197,
"name":"tango bango",
"objType":23,
"resolved":true,
"role":4,
"saasId":11161,
"tags":[
"602477681ebb340bf80fa8f3"
]
}
],
"prettyOperationName":"Alert Closed",
"rawOperationName":"Alert Closed",
"type":"securityEvent"
},
"resolvedActor":{
"id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
"instanceId":"0",
"name":"tango bango",
"objType":"23",
"resolved":true,
"role":"4",
"saasId":"11161",
"tags":[
"602477681ebb340bf80fa8f3"
]
},
"saasId":20595,
"session":{
"sessionId":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"severity":"INFO",
"tags":[
"000000110000000000000000"
],
"tenantId":112624484,
"timestamp":1613202281066,
"timestampRaw":1613202281066,
"uid":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
"user":{
"userName":"[email protected]",
"userTags":[
"602477681ebb340bf80fa8f3"
]
},
"userAgent":{
"browser":"PYTHON_REQUESTS",
"deviceType":"DESKTOP",
"family":"PYTHON_REQUESTS",
"major":"2",
"minor":"25",
"name":"Python-requests",
"nativeBrowser":true,
"operatingSystem":{
"family":"Unknown",
"name":"Unknown"
},
"os":"OTHER",
"tags":[
"000000000000000000000000"
],
"type":"Library",
"typeName":"Library",
"version":"2.25.0"
}
}
Get Activity by ID
Get activity details by activity ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Activity ID | Column name from parent table containing activity ID. | Required |
Output
Object containing activity object.
{
"_id":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
"tenantId":112624484,
"aadTenantId":"2d97f757-5a31-46a8-a957-3890738e1a25",
"appId":20595,
"saasId":20595,
"timestamp":1613202281066,
"timestampRaw":1613202281066,
"instantiation":1613202288233,
"instantiationRaw":1613202288233,
"created":1613202288379,
"createdRaw":1613202288379,
"eventType":917724,
"eventTypeValue":"EVENT_ADALLOM_ALERT_CLOSED_BENIGN",
"eventRouting":{
"scubaUnpacker":false,
"auditing":true,
"adminEvent":true
},
"device":{
"clientIP":"52.89.253.223",
"userAgent":"python-requests/2.25.0",
"countryCode":"US"
},
"location":{
"countryCode":"US",
"city":"boardman",
"postalCode":"97818",
"region":"oregon",
"longitude":-119.81143,
"latitude":45.73723,
"organizationSearchable":"Amazon Web Services",
"anonymousProxy":false,
"isSatelliteProvider":false,
"ipTags":[
"000000290000000000000000"
],
"category":5,
"categoryValue":"CLOUD_PROXY_NETWORK_IP"
},
"user":{
"userName":"[email protected]",
"userTags":[
"602477681ebb340bf80fa8f3"
]
},
"userAgent":{
"family":"PYTHON_REQUESTS",
"name":"Python-requests",
"operatingSystem":{
"name":"Unknown",
"family":"Unknown"
},
"type":"Library",
"typeName":"Library",
"version":"2.25.0",
"major":"2",
"minor":"25",
"deviceType":"DESKTOP",
"nativeBrowser":true,
"tags":[
"000000000000000000000000"
],
"os":"OTHER",
"browser":"PYTHON_REQUESTS"
},
"internals":{
"otherIPs":[
"52.89.253.223"
]
},
"tags":[
"000000110000000000000000"
],
"mainInfo":{
"eventObjects":[
{
"objType":7,
"role":3,
"tags":[
],
"name":"Resolution Status",
"value":"Benign"
},
{
"objType":7,
"role":3,
"tags":[
],
"name":"Alert Title",
"value":"Impossible travel activity"
},
{
"objType":7,
"role":3,
"tags":[
],
"name":"Alert Unique Id",
"value":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]"
},
{
"objType":7,
"role":3,
"tags":[
],
"name":"Handled By User",
"value":"[email protected]"
},
{
"objType":21,
"role":4,
"tags":[
],
"name":"tango bango",
"instanceId":0,
"resolved":true,
"saasId":11161,
"link":426759197,
"id":"[email protected]"
},
{
"objType":23,
"role":4,
"tags":[
"602477681ebb340bf80fa8f3"
],
"name":"tango bango",
"instanceId":0,
"resolved":true,
"saasId":11161,
"link":426759197,
"id":"bdd136b2-2307-47a4-823a-43a8d26ccaff"
}
],
"rawOperationName":"Alert Closed",
"prettyOperationName":"Alert Closed",
"type":"securityEvent"
},
"confidenceLevel":20,
"session":{
"sessionId":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"adallom":{
"alertSeverity":1,
"isLegacyAlertStatus":false,
"alertSeverityValue":1,
"resolutionStatus":4,
"alertTimestamp":1613003330378,
"handledByUser":"[email protected]",
"operationTime":1613202281063,
"alertMongoId":"60255329369efb920b8e8e4f",
"allowContact":false,
"contactEmail":"[email protected]",
"sendFeedback":false,
"alertTypeId":15859716,
"alertActor":"11161|0|[email protected]",
"alertScore":"0",
"alertTitle":"Impossible travel activity",
"agentType":3,
"alertBulk":false,
"alertDate":"2021-02-11T00:28:50.3780000Z",
"alertUid":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]",
"feedback":"",
"licenses":[
"AdallomStandalone"
],
"reasonId":3,
"comment":"closed by Indrajeet",
"bulkId":"60278369aa47e53c2fd5b92a",
"count":1,
"title":"Impossible travel activity"
},
"resolvedActor":{
"id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
"saasId":"11161",
"instanceId":"0",
"tags":[
"602477681ebb340bf80fa8f3"
],
"objType":"23",
"name":"tango bango",
"role":"4",
"resolved":true
},
"uid":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
"appName":"Microsoft Cloud App Security",
"eventTypeName":"EVENT_CATEGORY_CLOSE_ALERT_BENIGN",
"classifications":[
],
"entityData":{
"0":{
"displayName":"tango bango",
"id":{
"id":"[email protected]",
"saas":11161,
"inst":0
},
"resolved":true
},
"1":null,
"2":{
"displayName":"tango bango",
"id":{
"id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
"saas":11161,
"inst":0
},
"resolved":true
}
},
"description_id":"EVENT_DESCRIPTION_SECURITY_EVENT",
"description_metadata":{
"target_object":"",
"parameters":"; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
"activity_result_message":"",
"event_category":"Close alert as benign",
"operation_name":"Alert Closed",
"colon":": ",
"dash":""
},
"description":"Close alert as benign: Alert Closed ; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
"genericEventType":"ENUM_ACTIVITY_GENERIC_TYPE_SECURITY_EVENT",
"severity":"INFO",
"error":null,
"has_error":false
}
List Alerts
List alerts of Microsoft Cloud App Security
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Filter | Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}} | |
Sort Direction | Select the sorting direction (Default is Ascending). | |
Sort Field | Fields used to sort activities (Default is Date). | |
Skip | Skips the specified number of records (Default is 0). | |
Limit | Maximum number of records returned by the request (Default is 100, Max is 100,000). |
Output
A JSON object containing multiple rows of alert object.
{
"URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
"_id":"60255329369efb920b8e8e4f",
"comment":"closed by Indrajeet",
"contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
"description":"<p>The user tango bango ([email protected]) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
"entities":[
{
"id":20595,
"label":"Microsoft Cloud App Security",
"type":"service"
},
{
"countryCode":"SE",
"id":"77.111.245.14",
"label":"77.111.245.14",
"triggeredAlert":true,
"type":"ip"
},
{
"countryCode":"IN",
"id":"49.36.149.102",
"label":"49.36.149.102",
"triggeredAlert":true,
"type":"ip"
},
{
"id":"IN",
"label":"IN",
"type":"country"
},
{
"id":"SE",
"label":"SE",
"type":"country"
},
{
"id":"60233090e39f5c3e5a17877a",
"label":"Impossible travel",
"policyType":"ANOMALY_DETECTION",
"type":"policyRule"
},
{
"entityType":1,
"id":"[email protected]",
"inst":0,
"label":"tango bango",
"pa":"[email protected]",
"saas":11161,
"type":"account"
},
{
"id":"[email protected]",
"label":"[email protected]",
"type":"user"
}
],
"error":null,
"handledByUser":"[email protected]",
"has_error":false,
"idValue":15859716,
"isPreview":false,
"isSystemAlert":false,
"resolveTime":"2021-02-13T07:44:41.063Z",
"severityValue":1,
"statusValue":0,
"stories":[
0
],
"threatScore":0,
"timestamp":1613003330378,
"title":"Impossible travel activity"
}
Get Alert by ID
Get alert details by alert ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Column name from parent table containing activity ID. | Required |
Output
A JSON object containing activity object.
{
"_id":"60255329369efb920b8e8e4f",
"contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
"description":"<p>The user tango bango ([email protected]) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
"entities":[
{
"id":20595,
"type":"service",
"label":"Microsoft Cloud App Security"
},
{
"countryCode":"SE",
"id":"77.111.245.14",
"type":"ip",
"triggeredAlert":true,
"label":"77.111.245.14"
},
{
"countryCode":"IN",
"id":"49.36.149.102",
"type":"ip",
"triggeredAlert":true,
"label":"49.36.149.102"
},
{
"label":"IN",
"id":"IN",
"type":"country"
},
{
"label":"SE",
"id":"SE",
"type":"country"
},
{
"policyType":"ANOMALY_DETECTION",
"id":"60233090e39f5c3e5a17877a",
"label":"Impossible travel",
"type":"policyRule"
},
{
"pa":"[email protected]",
"saas":11161,
"entityType":1,
"inst":0,
"label":"tango bango",
"id":"[email protected]",
"type":"account"
},
{
"label":"[email protected]",
"id":"[email protected]",
"type":"user"
}
],
"idValue":15859716,
"isPreview":false,
"isSystemAlert":false,
"severityValue":1,
"statusValue":0,
"stories":[
0
],
"threatScore":0,
"timestamp":1613003330378,
"title":"Impossible travel activity",
"comment":"closed by Indrajeet",
"handledByUser":"[email protected]",
"resolveTime":"2021-02-13T07:44:41.063Z",
"URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
"error":null,
"has_error":false
}
Close Alert
Close alert of microsoft cloud app security
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Close Status | Column name from parent table containing close status. Selected parent table column can have values: ("Benign", "False Positive", or "True Positive"). | Required |
Filter | Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}} | Required |
Comment | Column name from parent table containing a comment about why the alerts are dismissed. | Required |
Reason ID | Column name from parent table providing a reason which helps improve the accuracy of the detection over time. Not used for True Positive. Selected parent table column can have values Possible values for Benign: 2, 4, 5, 6 Possible values for False Positive: 0, 1, 3, 4 | Required |
Send Feedback | Column name from parent table indicating that feedback about this alert is provided. Parent table should contain either true / false. (Default is false). | Required |
Feedback Text | Column name from the parent table containing text of the feedback. | Required |
Allow Contact | Column name from parent table containing a boolean value indicating that consent to contact the user is provided. Selected parent table column should contain either true / false. (Default is false). | Required |
Contact Email | The email address of the user. | Required |
Output
A JSON object containing multiple rows of result:
- closed_benign: Number of alerts selected,
- has_error: True/False
- error: message/null
{
"closed_benign":1,
"error":null,
"has_error":false
}
Mark Alert
Mark alert read / unread
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Column name from parent table containing activity ID. | Required |
Mark Status | Column name from parent table containing mark status. Selected parent table column can have values: (UNREAD / READ). | Required |
Output
A JSON object containing the alert updated.
{
"_id":"60255329369efb920b8e8e4f",
"contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
"description":"<p>The user tango bango ([email protected]) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
"entities":[
{
"id":20595,
"type":"service",
"label":"Microsoft Cloud App Security"
},
{
"countryCode":"SE",
"id":"77.111.245.14",
"type":"ip",
"triggeredAlert":true,
"label":"77.111.245.14"
},
{
"countryCode":"IN",
"id":"49.36.149.102",
"type":"ip",
"triggeredAlert":true,
"label":"49.36.149.102"
},
{
"label":"IN",
"id":"IN",
"type":"country"
},
{
"label":"SE",
"id":"SE",
"type":"country"
},
{
"policyType":"ANOMALY_DETECTION",
"id":"60233090e39f5c3e5a17877a",
"label":"Impossible travel",
"type":"policyRule"
},
{
"pa":"[email protected]",
"saas":11161,
"entityType":1,
"inst":0,
"label":"tango bango",
"id":"[email protected]",
"type":"account"
},
{
"label":"[email protected]",
"id":"[email protected]",
"type":"user"
}
],
"idValue":15859716,
"isPreview":false,
"isSystemAlert":false,
"severityValue":1,
"statusValue":0,
"stories":[
0
],
"threatScore":0,
"timestamp":1613003330378,
"title":"Impossible travel activity",
"comment":"closed by Indrajeet",
"handledByUser":"[email protected]",
"resolveTime":"2021-02-13T08:55:02.240Z",
"URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
"error":null,
"has_error":false
}
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem
Updated 12 months ago