Microsoft Cloud App Security

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

Integration with LogicHub

Connecting with Microsoft Cloud App Security

To connect to Microsoft Cloud App Security following details are required:

Actions with Microsoft Cloud App Security

List Activities

Fetches a list of activities matching the specified filters.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • FILTER: Jinja template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"activity.id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}}
  • Sort Direction: Select the sorting direction (Default is Ascending)
  • Sort Field: Fields used to sort activities (Default is Date)
  • Skip: Skips the specified number of records (Default is 0)
  • Limit: Maximum number of records returned by the request (Default is 100, Max is 100,000)

Output of Action
Array of activity objects.

{
   "_id":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
   "aadTenantId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "adallom":{
      "agentType":3,
      "alertActor":"11161|0|[email protected]",
      "alertBulk":false,
      "alertDate":"2021-02-11T00:28:50.3780000Z",
      "alertMongoId":"60255329369efb920b8e8e4f",
      "alertScore":"0",
      "alertSeverity":1,
      "alertSeverityValue":1,
      "alertTimestamp":1613003330378,
      "alertTitle":"Impossible travel activity",
      "alertTypeId":15859716,
      "alertUid":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]",
      "allowContact":false,
      "bulkId":"60278369aa47e53c2fd5b92a",
      "comment":"closed by Indrajeet",
      "contactEmail":"[email protected]",
      "count":1,
      "feedback":"",
      "handledByUser":"[email protected]",
      "isLegacyAlertStatus":false,
      "licenses":[
         "AdallomStandalone"
      ],
      "operationTime":1613202281063,
      "reasonId":3,
      "resolutionStatus":4,
      "sendFeedback":false,
      "title":"Impossible travel activity"
   },
   "appId":20595,
   "appName":"Microsoft Cloud App Security",
   "classifications":[
      
   ],
   "confidenceLevel":20,
   "created":1613202288379,
   "createdRaw":1613202288379,
   "description":"Close alert as benign: Alert Closed ; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
   "description_id":"EVENT_DESCRIPTION_SECURITY_EVENT",
   "description_metadata":{
      "activity_result_message":"",
      "colon":": ",
      "dash":"",
      "event_category":"Close alert as benign",
      "operation_name":"Alert Closed",
      "parameters":"; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
      "target_object":""
   },
   "device":{
      "clientIP":"52.89.253.223",
      "countryCode":"US",
      "userAgent":"python-requests/2.25.0"
   },
   "entityData":{
      "0":{
         "displayName":"tango bango",
         "id":{
            "id":"[email protected]",
            "inst":0,
            "saas":11161
         },
         "resolved":true
      },
      "1":null,
      "2":{
         "displayName":"tango bango",
         "id":{
            "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
            "inst":0,
            "saas":11161
         },
         "resolved":true
      }
   },
   "error":null,
   "eventRouting":{
      "adminEvent":true,
      "auditing":true,
      "scubaUnpacker":false
   },
   "eventType":917724,
   "eventTypeName":"EVENT_CATEGORY_CLOSE_ALERT_BENIGN",
   "eventTypeValue":"EVENT_ADALLOM_ALERT_CLOSED_BENIGN",
   "genericEventType":"ENUM_ACTIVITY_GENERIC_TYPE_SECURITY_EVENT",
   "has_error":false,
   "instantiation":1613202288233,
   "instantiationRaw":1613202288233,
   "internals":{
      "otherIPs":[
         "52.89.253.223"
      ]
   },
   "location":{
      "anonymousProxy":false,
      "category":5,
      "categoryValue":"CLOUD_PROXY_NETWORK_IP",
      "city":"boardman",
      "countryCode":"US",
      "ipTags":[
         "000000290000000000000000"
      ],
      "isSatelliteProvider":false,
      "latitude":45.73723,
      "longitude":-119.81143,
      "organizationSearchable":"Amazon Web Services",
      "postalCode":"97818",
      "region":"oregon"
   },
   "mainInfo":{
      "eventObjects":[
         {
            "name":"Resolution Status",
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "value":"Benign"
         },
         {
            "name":"Alert Title",
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "value":"Impossible travel activity"
         },
         {
            "name":"Alert Unique Id",
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "value":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]"
         },
         {
            "name":"Handled By User",
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "value":"[email protected]"
         },
         {
            "id":"[email protected]",
            "instanceId":0,
            "link":426759197,
            "name":"tango bango",
            "objType":21,
            "resolved":true,
            "role":4,
            "saasId":11161,
            "tags":[
               
            ]
         },
         {
            "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
            "instanceId":0,
            "link":426759197,
            "name":"tango bango",
            "objType":23,
            "resolved":true,
            "role":4,
            "saasId":11161,
            "tags":[
               "602477681ebb340bf80fa8f3"
            ]
         }
      ],
      "prettyOperationName":"Alert Closed",
      "rawOperationName":"Alert Closed",
      "type":"securityEvent"
   },
   "resolvedActor":{
      "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
      "instanceId":"0",
      "name":"tango bango",
      "objType":"23",
      "resolved":true,
      "role":"4",
      "saasId":"11161",
      "tags":[
         "602477681ebb340bf80fa8f3"
      ]
   },
   "saasId":20595,
   "session":{
      "sessionId":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
   },
   "severity":"INFO",
   "tags":[
      "000000110000000000000000"
   ],
   "tenantId":112624484,
   "timestamp":1613202281066,
   "timestampRaw":1613202281066,
   "uid":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
   "user":{
      "userName":"[email protected]",
      "userTags":[
         "602477681ebb340bf80fa8f3"
      ]
   },
   "userAgent":{
      "browser":"PYTHON_REQUESTS",
      "deviceType":"DESKTOP",
      "family":"PYTHON_REQUESTS",
      "major":"2",
      "minor":"25",
      "name":"Python-requests",
      "nativeBrowser":true,
      "operatingSystem":{
         "family":"Unknown",
         "name":"Unknown"
      },
      "os":"OTHER",
      "tags":[
         "000000000000000000000000"
      ],
      "type":"Library",
      "typeName":"Library",
      "version":"2.25.0"
   }
}

Get Activity by ID

Get activity details by activity ID

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Activity ID: Column name from parent table containing activity ID.

Output of Action
Object containing activity object.

{
   "_id":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
   "tenantId":112624484,
   "aadTenantId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "appId":20595,
   "saasId":20595,
   "timestamp":1613202281066,
   "timestampRaw":1613202281066,
   "instantiation":1613202288233,
   "instantiationRaw":1613202288233,
   "created":1613202288379,
   "createdRaw":1613202288379,
   "eventType":917724,
   "eventTypeValue":"EVENT_ADALLOM_ALERT_CLOSED_BENIGN",
   "eventRouting":{
      "scubaUnpacker":false,
      "auditing":true,
      "adminEvent":true
   },
   "device":{
      "clientIP":"52.89.253.223",
      "userAgent":"python-requests/2.25.0",
      "countryCode":"US"
   },
   "location":{
      "countryCode":"US",
      "city":"boardman",
      "postalCode":"97818",
      "region":"oregon",
      "longitude":-119.81143,
      "latitude":45.73723,
      "organizationSearchable":"Amazon Web Services",
      "anonymousProxy":false,
      "isSatelliteProvider":false,
      "ipTags":[
         "000000290000000000000000"
      ],
      "category":5,
      "categoryValue":"CLOUD_PROXY_NETWORK_IP"
   },
   "user":{
      "userName":"[email protected]",
      "userTags":[
         "602477681ebb340bf80fa8f3"
      ]
   },
   "userAgent":{
      "family":"PYTHON_REQUESTS",
      "name":"Python-requests",
      "operatingSystem":{
         "name":"Unknown",
         "family":"Unknown"
      },
      "type":"Library",
      "typeName":"Library",
      "version":"2.25.0",
      "major":"2",
      "minor":"25",
      "deviceType":"DESKTOP",
      "nativeBrowser":true,
      "tags":[
         "000000000000000000000000"
      ],
      "os":"OTHER",
      "browser":"PYTHON_REQUESTS"
   },
   "internals":{
      "otherIPs":[
         "52.89.253.223"
      ]
   },
   "tags":[
      "000000110000000000000000"
   ],
   "mainInfo":{
      "eventObjects":[
         {
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "name":"Resolution Status",
            "value":"Benign"
         },
         {
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "name":"Alert Title",
            "value":"Impossible travel activity"
         },
         {
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "name":"Alert Unique Id",
            "value":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]"
         },
         {
            "objType":7,
            "role":3,
            "tags":[
               
            ],
            "name":"Handled By User",
            "value":"[email protected]"
         },
         {
            "objType":21,
            "role":4,
            "tags":[
               
            ],
            "name":"tango bango",
            "instanceId":0,
            "resolved":true,
            "saasId":11161,
            "link":426759197,
            "id":"[email protected]"
         },
         {
            "objType":23,
            "role":4,
            "tags":[
               "602477681ebb340bf80fa8f3"
            ],
            "name":"tango bango",
            "instanceId":0,
            "resolved":true,
            "saasId":11161,
            "link":426759197,
            "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff"
         }
      ],
      "rawOperationName":"Alert Closed",
      "prettyOperationName":"Alert Closed",
      "type":"securityEvent"
   },
   "confidenceLevel":20,
   "session":{
      "sessionId":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
   },
   "adallom":{
      "alertSeverity":1,
      "isLegacyAlertStatus":false,
      "alertSeverityValue":1,
      "resolutionStatus":4,
      "alertTimestamp":1613003330378,
      "handledByUser":"[email protected]",
      "operationTime":1613202281063,
      "alertMongoId":"60255329369efb920b8e8e4f",
      "allowContact":false,
      "contactEmail":"[email protected]",
      "sendFeedback":false,
      "alertTypeId":15859716,
      "alertActor":"11161|0|[email protected]",
      "alertScore":"0",
      "alertTitle":"Impossible travel activity",
      "agentType":3,
      "alertBulk":false,
      "alertDate":"2021-02-11T00:28:50.3780000Z",
      "alertUid":"VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]",
      "feedback":"",
      "licenses":[
         "AdallomStandalone"
      ],
      "reasonId":3,
      "comment":"closed by Indrajeet",
      "bulkId":"60278369aa47e53c2fd5b92a",
      "count":1,
      "title":"Impossible travel activity"
   },
   "resolvedActor":{
      "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
      "saasId":"11161",
      "instanceId":"0",
      "tags":[
         "602477681ebb340bf80fa8f3"
      ],
      "objType":"23",
      "name":"tango bango",
      "role":"4",
      "resolved":true
   },
   "uid":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
   "appName":"Microsoft Cloud App Security",
   "eventTypeName":"EVENT_CATEGORY_CLOSE_ALERT_BENIGN",
   "classifications":[
      
   ],
   "entityData":{
      "0":{
         "displayName":"tango bango",
         "id":{
            "id":"[email protected]",
            "saas":11161,
            "inst":0
         },
         "resolved":true
      },
      "1":null,
      "2":{
         "displayName":"tango bango",
         "id":{
            "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
            "saas":11161,
            "inst":0
         },
         "resolved":true
      }
   },
   "description_id":"EVENT_DESCRIPTION_SECURITY_EVENT",
   "description_metadata":{
      "target_object":"",
      "parameters":"; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
      "activity_result_message":"",
      "event_category":"Close alert as benign",
      "operation_name":"Alert Closed",
      "colon":": ",
      "dash":""
   },
   "description":"Close alert as benign: Alert Closed ; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|[email protected]|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>[email protected]</b>",
   "genericEventType":"ENUM_ACTIVITY_GENERIC_TYPE_SECURITY_EVENT",
   "severity":"INFO",
   "error":null,
   "has_error":false
}

List Alerts

List alerts of Microsoft Cloud App Security

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Filter: Jinja template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}}
  • Sort Direction: Select the sorting direction (Default is Ascending)
  • Sort Field: Fields used to sort activities (Default is Date)
  • Skip: Skips the specified number of records (Default is 0)
  • Limit: Maximum number of records returned by the request (Default is 100, Max is 100,000)

Output of Action
Multiple rows containing alert object.

{
   "URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
   "_id":"60255329369efb920b8e8e4f",
   "comment":"closed by Indrajeet",
   "contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "description":"<p>The user tango bango ([email protected]) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
   "entities":[
      {
         "id":20595,
         "label":"Microsoft Cloud App Security",
         "type":"service"
      },
      {
         "countryCode":"SE",
         "id":"77.111.245.14",
         "label":"77.111.245.14",
         "triggeredAlert":true,
         "type":"ip"
      },
      {
         "countryCode":"IN",
         "id":"49.36.149.102",
         "label":"49.36.149.102",
         "triggeredAlert":true,
         "type":"ip"
      },
      {
         "id":"IN",
         "label":"IN",
         "type":"country"
      },
      {
         "id":"SE",
         "label":"SE",
         "type":"country"
      },
      {
         "id":"60233090e39f5c3e5a17877a",
         "label":"Impossible travel",
         "policyType":"ANOMALY_DETECTION",
         "type":"policyRule"
      },
      {
         "entityType":1,
         "id":"[email protected]",
         "inst":0,
         "label":"tango bango",
         "pa":"[email protected]",
         "saas":11161,
         "type":"account"
      },
      {
         "id":"[email protected]",
         "label":"[email protected]",
         "type":"user"
      }
   ],
   "error":null,
   "handledByUser":"[email protected]",
   "has_error":false,
   "idValue":15859716,
   "isPreview":false,
   "isSystemAlert":false,
   "resolveTime":"2021-02-13T07:44:41.063Z",
   "severityValue":1,
   "statusValue":0,
   "stories":[
      0
   ],
   "threatScore":0,
   "timestamp":1613003330378,
   "title":"Impossible travel activity"
}

Get Alert by ID

Get alert details by alert ID

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Alert ID: Column name from parent table containing activity ID.

Output of Action
Object containing activity object.

{
   "_id":"60255329369efb920b8e8e4f",
   "contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "description":"<p>The user tango bango ([email protected]) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
   "entities":[
      {
         "id":20595,
         "type":"service",
         "label":"Microsoft Cloud App Security"
      },
      {
         "countryCode":"SE",
         "id":"77.111.245.14",
         "type":"ip",
         "triggeredAlert":true,
         "label":"77.111.245.14"
      },
      {
         "countryCode":"IN",
         "id":"49.36.149.102",
         "type":"ip",
         "triggeredAlert":true,
         "label":"49.36.149.102"
      },
      {
         "label":"IN",
         "id":"IN",
         "type":"country"
      },
      {
         "label":"SE",
         "id":"SE",
         "type":"country"
      },
      {
         "policyType":"ANOMALY_DETECTION",
         "id":"60233090e39f5c3e5a17877a",
         "label":"Impossible travel",
         "type":"policyRule"
      },
      {
         "pa":"[email protected]",
         "saas":11161,
         "entityType":1,
         "inst":0,
         "label":"tango bango",
         "id":"[email protected]",
         "type":"account"
      },
      {
         "label":"[email protected]",
         "id":"[email protected]",
         "type":"user"
      }
   ],
   "idValue":15859716,
   "isPreview":false,
   "isSystemAlert":false,
   "severityValue":1,
   "statusValue":0,
   "stories":[
      0
   ],
   "threatScore":0,
   "timestamp":1613003330378,
   "title":"Impossible travel activity",
   "comment":"closed by Indrajeet",
   "handledByUser":"[email protected]",
   "resolveTime":"2021-02-13T07:44:41.063Z",
   "URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
   "error":null,
   "has_error":false
}

Close Alert

Close alert of microsoft cloud app security

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Close Status: Column name from parent table containing close status. Selected parent table column can have values: ("Benign", "False Positive", or "True Positive")
  • Filter: Jinja template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}}
  • Comment: Column name from parent table containing a comment about why the alerts are dismissed
  • Reason ID: Column name from parent table providing a reason which helps improve the accuracy of the detection over time. Not used for True Positive. Selected parent table column can have values Possible values for Benign: 2, 4, 5,6 Possible values for False Positive: 0, 1, 3, 4
  • Send Feedback: Column name from parent table indicating that feedback about this alert is provided. Parent table should contain either true / false. (Default is false)
  • Feedback Text: Column name from the parent table containing text of the feedback
  • Allow Contact: Column name from parent table containing a boolean value indicating that consent to contact the user is provided. Selected parent table column should contain either true / false. (Default is false)
  • Contact Email: The email address of the user.

Output of Action
JSON containing the following items:

  • closed_benign: Number of alerts selected,
  • has_error: True/False
  • error: message/null
{
   "closed_benign":1,
   "error":null,
   "has_error":false
}

Mark Alert

Mark alert read / unread

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Alert ID: Column name from parent table containing activity ID.
  • Mark Status: Column name from parent table containing mark status. Selected parent table column can have values: (UNREAD / READ)

Output of Action
Object containing the alert updated.

{
   "_id":"60255329369efb920b8e8e4f",
   "contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "description":"<p>The user tango bango ([email protected]) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
   "entities":[
      {
         "id":20595,
         "type":"service",
         "label":"Microsoft Cloud App Security"
      },
      {
         "countryCode":"SE",
         "id":"77.111.245.14",
         "type":"ip",
         "triggeredAlert":true,
         "label":"77.111.245.14"
      },
      {
         "countryCode":"IN",
         "id":"49.36.149.102",
         "type":"ip",
         "triggeredAlert":true,
         "label":"49.36.149.102"
      },
      {
         "label":"IN",
         "id":"IN",
         "type":"country"
      },
      {
         "label":"SE",
         "id":"SE",
         "type":"country"
      },
      {
         "policyType":"ANOMALY_DETECTION",
         "id":"60233090e39f5c3e5a17877a",
         "label":"Impossible travel",
         "type":"policyRule"
      },
      {
         "pa":"[email protected]",
         "saas":11161,
         "entityType":1,
         "inst":0,
         "label":"tango bango",
         "id":"[email protected]",
         "type":"account"
      },
      {
         "label":"[email protected]",
         "id":"[email protected]",
         "type":"user"
      }
   ],
   "idValue":15859716,
   "isPreview":false,
   "isSystemAlert":false,
   "severityValue":1,
   "statusValue":0,
   "stories":[
      0
   ],
   "threatScore":0,
   "timestamp":1613003330378,
   "title":"Impossible travel activity",
   "comment":"closed by Indrajeet",
   "handledByUser":"[email protected]",
   "resolveTime":"2021-02-13T08:55:02.240Z",
   "URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
   "error":null,
   "has_error":false
}

Did this page help you?