...
Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.
Connect Microsoft Cloud App Security with Devo SOAR
Navigate to Automations > Integrations.
Search for Microsoft Cloud App Security.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API URL: URL of API. If you have portal's URL, add the /api suffix to it to obtain your API URL. Example: https://mytenant.us2.contoso.com/api
Token: Token required for authentication.
After you've entered all the details, click Connect.
Actions for Microsoft Cloud App Security
List Activities
Fetches a list of activities matching the specified filters.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Filter | Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | |
Example filter: {"activity.id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}} | Required | |
Sort Direction | Select the sorting direction (Default is Ascending). | |
Sort Field | Fields used to sort activities (Default is Date). | |
Skip | Skips the specified number of records (Default is 0). | |
Limit | Maximum number of records returned by the request (Default is 100, Max is 100,000). |
Output
Array of activity objects.
...
Code Block |
---|
## Get Activity by ID Get activity details by activity ID ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------- | :---------------------------------------------------- | :------- | | Activity ID | Column name from parent table containing activity ID. | Required | ### Output Object containing activity object. ``` {json}{ "_id":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc", "tenantId":112624484, "aadTenantId":"2d97f757-5a31-46a8-a957-3890738e1a25", "appId":20595, "saasId":20595, "timestamp":1613202281066, "timestampRaw":1613202281066, "instantiation":1613202288233, "instantiationRaw":1613202288233, "created":1613202288379, "createdRaw":1613202288379, "eventType":917724, "eventTypeValue":"EVENT_ADALLOM_ALERT_CLOSED_BENIGN", "eventRouting":{ "scubaUnpacker":false, "auditing":true, "adminEvent":true }, "device":{ "clientIP":"52.89.253.223", "userAgent":"python-requests/2.25.0", "countryCode":"US" }, "location":{ "countryCode":"US", "city":"boardman", "postalCode":"97818", "region":"oregon", "longitude":-119.81143, "latitude":45.73723, "organizationSearchable":"Amazon Web Services", "anonymousProxy":false, "isSatelliteProvider":false, "ipTags":[ "000000290000000000000000" ], "category":5, "categoryValue":"CLOUD_PROXY_NETWORK_IP" }, "user":{ "userName":"tango@qrrush.onmicrosoft.com", "userTags":[ "602477681ebb340bf80fa8f3" ] }, "userAgent":{ "family":"PYTHON_REQUESTS", "name":"Python-requests", "operatingSystem":{ "name":"Unknown", "family":"Unknown" }, "type":"Library", "typeName":"Library", "version":"2.25.0", "major":"2", "minor":"25", "deviceType":"DESKTOP", "nativeBrowser":true, "tags":[ "000000000000000000000000" ], "os":"OTHER", "browser":"PYTHON_REQUESTS" }, "internals":{ "otherIPs":[ "52.89.253.223" ] }, "tags":[ "000000110000000000000000" ], "mainInfo":{ "eventObjects":[ { "objType":7, "role":3, "tags":[ ], "name":"Resolution Status", "value":"Benign" }, { "objType":7, "role":3, "tags":[ ], "name":"Alert Title", "value":"Impossible travel activity" }, { "objType":7, "role":3, "tags":[ ], "name":"Alert Unique Id", "value":"VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]" }, { "objType":7, "role":3, "tags":[ ], "name":"Handled By User", "value":"tango@qrrush.onmicrosoft.com" }, { "objType":21, "role":4, "tags":[ ], "name":"tango bango", "instanceId":0, "resolved":true, "saasId":11161, "link":426759197, "id":"tango@qrrush.onmicrosoft.com" }, { "objType":23, "role":4, "tags":[ "602477681ebb340bf80fa8f3" ], "name":"tango bango", "instanceId":0, "resolved":true, "saasId":11161, "link":426759197, "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff" } ], "rawOperationName":"Alert Closed", "prettyOperationName":"Alert Closed", "type":"securityEvent" }, "confidenceLevel":20, "session":{ "sessionId":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, "adallom":{ "alertSeverity":1, "isLegacyAlertStatus":false, "alertSeverityValue":1, "resolutionStatus":4, "alertTimestamp":1613003330378, "handledByUser":"tango@qrrush.onmicrosoft.com", "operationTime":1613202281063, "alertMongoId":"60255329369efb920b8e8e4f", "allowContact":false, "contactEmail":"indrajeet@logichub.com", "sendFeedback":false, "alertTypeId":15859716, "alertActor":"11161|0|tango@qrrush.onmicrosoft.com", "alertScore":"0", "alertTitle":"Impossible travel activity", "agentType":3, "alertBulk":false, "alertDate":"2021-02-11T00:28:50.3780000Z", "alertUid":"VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]", "feedback":"", "licenses":[ "AdallomStandalone" ], "reasonId":3, "comment":"closed by Indrajeet", "bulkId":"60278369aa47e53c2fd5b92a", "count":1, "title":"Impossible travel activity" }, "resolvedActor":{ "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff", "saasId":"11161", "instanceId":"0", "tags":[ "602477681ebb340bf80fa8f3" ], "objType":"23", "name":"tango bango", "role":"4", "resolved":true }, "uid":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc", "appName":"Microsoft Cloud App Security", "eventTypeName":"EVENT_CATEGORY_CLOSE_ALERT_BENIGN", "classifications":[ ], "entityData":{ "0":{ "displayName":"tango bango", "id":{ "id":"tango@qrrush.onmicrosoft.com", "saas":11161, "inst":0 }, "resolved":true }, "1":null, "2":{ "displayName":"tango bango", "id":{ "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff", "saas":11161, "inst":0 }, "resolved":true } }, "description_id":"EVENT_DESCRIPTION_SECURITY_EVENT", "description_metadata":{ "target_object":"", "parameters":"; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>tango@qrrush.onmicrosoft.com</b>", "activity_result_message":"", "event_category":"Close alert as benign", "operation_name":"Alert Closed", "colon":": ", "dash":"" }, "description":"Close alert as benign: Alert Closed ; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>tango@qrrush.onmicrosoft.com</b>", "genericEventType":"ENUM_ACTIVITY_GENERIC_TYPE_SECURITY_EVENT", "severity":"INFO", "error":null, "has_error":false } |
List Alerts
List alerts of Microsoft Cloud App Security
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Filter | Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}} | |
Sort Direction | Select the sorting direction (Default is Ascending). | |
Sort Field | Fields used to sort activities (Default is Date). | |
Skip | Skips the specified number of records (Default is 0). | |
Limit | Maximum number of records returned by the request (Default is 100, Max is 100,000). |
Output
A JSON object containing multiple rows of alert object.
...
Code Block |
---|
## Get Alert by ID Get alert details by alert ID ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :---------------------------------------------------- | :------- | | Alert ID | Column name from parent table containing activity ID. | Required | ### Output A JSON object containing activity object. ``` {json}{ "_id":"60255329369efb920b8e8e4f", "contextId":"2d97f757-5a31-46a8-a957-3890738e1a25", "description":"<p>The user tango bango (tango@qrrush.onmicrosoft.com) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>", "entities":[ { "id":20595, "type":"service", "label":"Microsoft Cloud App Security" }, { "countryCode":"SE", "id":"77.111.245.14", "type":"ip", "triggeredAlert":true, "label":"77.111.245.14" }, { "countryCode":"IN", "id":"49.36.149.102", "type":"ip", "triggeredAlert":true, "label":"49.36.149.102" }, { "label":"IN", "id":"IN", "type":"country" }, { "label":"SE", "id":"SE", "type":"country" }, { "policyType":"ANOMALY_DETECTION", "id":"60233090e39f5c3e5a17877a", "label":"Impossible travel", "type":"policyRule" }, { "pa":"tango@qrrush.onmicrosoft.com", "saas":11161, "entityType":1, "inst":0, "label":"tango bango", "id":"tango@qrrush.onmicrosoft.com", "type":"account" }, { "label":"tango@qrrush.onmicrosoft.com", "id":"tango@qrrush.onmicrosoft.com", "type":"user" } ], "idValue":15859716, "isPreview":false, "isSystemAlert":false, "severityValue":1, "statusValue":0, "stories":[ 0 ], "threatScore":0, "timestamp":1613003330378, "title":"Impossible travel activity", "comment":"closed by Indrajeet", "handledByUser":"tango@qrrush.onmicrosoft.com", "resolveTime":"2021-02-13T07:44:41.063Z", "URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f", "error":null, "has_error":false } |
Close Alert
Close alert of microsoft cloud app security
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Close Status | Column name from parent table containing close status. Selected parent table column can have values: ("Benign", "False Positive", or "True Positive"). | Required |
Filter | Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. | |
Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}} | Required | |
Comment | Column name from parent table containing a comment about why the alerts are dismissed. | Required |
Reason ID | Column name from parent table providing a reason which helps improve the accuracy of the detection over time. Not used for True Positive. Selected parent table column can have values Possible values for Benign: 2, 4, 5, 6 Possible values for False Positive: 0, 1, 3, 4 | Required |
Send Feedback | Column name from parent table indicating that feedback about this alert is provided. Parent table should contain either true / false. (Default is false). | Required |
Feedback Text | Column name from the parent table containing text of the feedback. | Required |
Allow Contact | Column name from parent table containing a boolean value indicating that consent to contact the user is provided. Selected parent table column should contain either true / false. (Default is false). | Required |
Contact Email | The email address of the user. | Required |
Output
A JSON object containing multiple rows of result:
...
Code Block |
---|
## Mark Alert Mark alert read / unread ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------- | :------------------------------------------------------------------------------------------------------------------- | :------- | | Alert ID | Column name from parent table containing activity ID. | Required | | Mark Status | Column name from parent table containing mark status. Selected parent table column can have values: (UNREAD / READ). | Required | ### Output A JSON object containing the alert updated. ``` {json}{ "_id":"60255329369efb920b8e8e4f", "contextId":"2d97f757-5a31-46a8-a957-3890738e1a25", "description":"<p>The user tango bango (tango@qrrush.onmicrosoft.com) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>", "entities":[ { "id":20595, "type":"service", "label":"Microsoft Cloud App Security" }, { "countryCode":"SE", "id":"77.111.245.14", "type":"ip", "triggeredAlert":true, "label":"77.111.245.14" }, { "countryCode":"IN", "id":"49.36.149.102", "type":"ip", "triggeredAlert":true, "label":"49.36.149.102" }, { "label":"IN", "id":"IN", "type":"country" }, { "label":"SE", "id":"SE", "type":"country" }, { "policyType":"ANOMALY_DETECTION", "id":"60233090e39f5c3e5a17877a", "label":"Impossible travel", "type":"policyRule" }, { "pa":"tango@qrrush.onmicrosoft.com", "saas":11161, "entityType":1, "inst":0, "label":"tango bango", "id":"tango@qrrush.onmicrosoft.com", "type":"account" }, { "label":"tango@qrrush.onmicrosoft.com", "id":"tango@qrrush.onmicrosoft.com", "type":"user" } ], "idValue":15859716, "isPreview":false, "isSystemAlert":false, "severityValue":1, "statusValue":0, "stories":[ 0 ], "threatScore":0, "timestamp":1613003330378, "title":"Impossible travel activity", "comment":"closed by Indrajeet", "handledByUser":"tango@qrrush.onmicrosoft.com", "resolveTime":"2021-02-13T08:55:02.240Z", "URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f", "error":null, "has_error":false } |
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem
...