Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

Connect Microsoft Cloud App Security with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Microsoft Cloud App Security.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. API URL: URL of API. If you have portal's URL, add the /api suffix to it to obtain your API URL. Example: https://mytenant.us2.contoso.com/api

  9. Token: Token required for authentication.

  10. After you've entered all the details, click Connect.

Actions for Microsoft Cloud App Security

List Activities

Fetches a list of activities matching the specified filters.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Filter

Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.

Example filter: {"activity.id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}}

Required

Sort Direction

Select the sorting direction (Default is Ascending).

Sort Field

Fields used to sort activities (Default is Date).

Skip

Skips the specified number of records (Default is 0).

Limit

Maximum number of records returned by the request (Default is 100, Max is 100,000).

Output

Array of activity objects.

...

Code Block
## Get Activity by ID

Get activity details by activity ID

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name  | Description                                           | Required |
| :---------- | :---------------------------------------------------- | :------- |
| Activity ID | Column name from parent table containing activity ID. | Required |

### Output

Object containing activity object.


``` {json}{
   "_id":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
   "tenantId":112624484,
   "aadTenantId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "appId":20595,
   "saasId":20595,
   "timestamp":1613202281066,
   "timestampRaw":1613202281066,
   "instantiation":1613202288233,
   "instantiationRaw":1613202288233,
   "created":1613202288379,
   "createdRaw":1613202288379,
   "eventType":917724,
   "eventTypeValue":"EVENT_ADALLOM_ALERT_CLOSED_BENIGN",
   "eventRouting":{
      "scubaUnpacker":false,
      "auditing":true,
      "adminEvent":true
   },
   "device":{
      "clientIP":"52.89.253.223",
      "userAgent":"python-requests/2.25.0",
      "countryCode":"US"
   },
   "location":{
      "countryCode":"US",
      "city":"boardman",
      "postalCode":"97818",
      "region":"oregon",
      "longitude":-119.81143,
      "latitude":45.73723,
      "organizationSearchable":"Amazon Web Services",
      "anonymousProxy":false,
      "isSatelliteProvider":false,
      "ipTags":[
         "000000290000000000000000"
      ],
      "category":5,
      "categoryValue":"CLOUD_PROXY_NETWORK_IP"
   },
   "user":{
      "userName":"tango@qrrush.onmicrosoft.com",
      "userTags":[
         "602477681ebb340bf80fa8f3"
      ]
   },
   "userAgent":{
      "family":"PYTHON_REQUESTS",
      "name":"Python-requests",
      "operatingSystem":{
         "name":"Unknown",
         "family":"Unknown"
      },
      "type":"Library",
      "typeName":"Library",
      "version":"2.25.0",
      "major":"2",
      "minor":"25",
      "deviceType":"DESKTOP",
      "nativeBrowser":true,
      "tags":[
         "000000000000000000000000"
      ],
      "os":"OTHER",
      "browser":"PYTHON_REQUESTS"
   },
   "internals":{
      "otherIPs":[
         "52.89.253.223"
      ]
   },
   "tags":[
      "000000110000000000000000"
   ],
   "mainInfo":{
      "eventObjects":[
         {
            "objType":7,
            "role":3,
            "tags":[

            ],
            "name":"Resolution Status",
            "value":"Benign"
         },
         {
            "objType":7,
            "role":3,
            "tags":[

            ],
            "name":"Alert Title",
            "value":"Impossible travel activity"
         },
         {
            "objType":7,
            "role":3,
            "tags":[

            ],
            "name":"Alert Unique Id",
            "value":"VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]"
         },
         {
            "objType":7,
            "role":3,
            "tags":[

            ],
            "name":"Handled By User",
            "value":"tango@qrrush.onmicrosoft.com"
         },
         {
            "objType":21,
            "role":4,
            "tags":[

            ],
            "name":"tango bango",
            "instanceId":0,
            "resolved":true,
            "saasId":11161,
            "link":426759197,
            "id":"tango@qrrush.onmicrosoft.com"
         },
         {
            "objType":23,
            "role":4,
            "tags":[
               "602477681ebb340bf80fa8f3"
            ],
            "name":"tango bango",
            "instanceId":0,
            "resolved":true,
            "saasId":11161,
            "link":426759197,
            "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff"
         }
      ],
      "rawOperationName":"Alert Closed",
      "prettyOperationName":"Alert Closed",
      "type":"securityEvent"
   },
   "confidenceLevel":20,
   "session":{
      "sessionId":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
   },
   "adallom":{
      "alertSeverity":1,
      "isLegacyAlertStatus":false,
      "alertSeverityValue":1,
      "resolutionStatus":4,
      "alertTimestamp":1613003330378,
      "handledByUser":"tango@qrrush.onmicrosoft.com",
      "operationTime":1613202281063,
      "alertMongoId":"60255329369efb920b8e8e4f",
      "allowContact":false,
      "contactEmail":"indrajeet@logichub.com",
      "sendFeedback":false,
      "alertTypeId":15859716,
      "alertActor":"11161|0|tango@qrrush.onmicrosoft.com",
      "alertScore":"0",
      "alertTitle":"Impossible travel activity",
      "agentType":3,
      "alertBulk":false,
      "alertDate":"2021-02-11T00:28:50.3780000Z",
      "alertUid":"VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]",
      "feedback":"",
      "licenses":[
         "AdallomStandalone"
      ],
      "reasonId":3,
      "comment":"closed by Indrajeet",
      "bulkId":"60278369aa47e53c2fd5b92a",
      "count":1,
      "title":"Impossible travel activity"
   },
   "resolvedActor":{
      "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
      "saasId":"11161",
      "instanceId":"0",
      "tags":[
         "602477681ebb340bf80fa8f3"
      ],
      "objType":"23",
      "name":"tango bango",
      "role":"4",
      "resolved":true
   },
   "uid":"112624484_1613202281066_84d5d2d3b3b547ab868eb141a7b1b7cc",
   "appName":"Microsoft Cloud App Security",
   "eventTypeName":"EVENT_CATEGORY_CLOSE_ALERT_BENIGN",
   "classifications":[

   ],
   "entityData":{
      "0":{
         "displayName":"tango bango",
         "id":{
            "id":"tango@qrrush.onmicrosoft.com",
            "saas":11161,
            "inst":0
         },
         "resolved":true
      },
      "1":null,
      "2":{
         "displayName":"tango bango",
         "id":{
            "id":"bdd136b2-2307-47a4-823a-43a8d26ccaff",
            "saas":11161,
            "inst":0
         },
         "resolved":true
      }
   },
   "description_id":"EVENT_DESCRIPTION_SECURITY_EVENT",
   "description_metadata":{
      "target_object":"",
      "parameters":"; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>tango@qrrush.onmicrosoft.com</b>",
      "activity_result_message":"",
      "event_category":"Close alert as benign",
      "operation_name":"Alert Closed",
      "colon":": ",
      "dash":""
   },
   "description":"Close alert as benign: Alert Closed ; Parameters: property <b>Resolution Status</b> <b>Benign</b>, property <b>Alert Title</b> <b>Impossible travel activity</b>, property <b>Alert Unique Id</b> <b>VelocityDetection|112624484_11161_0_tango@qrrush.onmicrosoft.com|[2021-02-10, 2021-02-11]_[(IN,SE)]</b>, property <b>Handled By User</b> <b>tango@qrrush.onmicrosoft.com</b>",
   "genericEventType":"ENUM_ACTIVITY_GENERIC_TYPE_SECURITY_EVENT",
   "severity":"INFO",
   "error":null,
   "has_error":false
}

List Alerts

List alerts of Microsoft Cloud App Security

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Filter

Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters. Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}}

Sort Direction

Select the sorting direction (Default is Ascending).

Sort Field

Fields used to sort activities (Default is Date).

Skip

Skips the specified number of records (Default is 0).

Limit

Maximum number of records returned by the request (Default is 100, Max is 100,000).

Output

A JSON object containing multiple rows of alert object.

...

Code Block
## Get Alert by ID

Get alert details by alert ID

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description                                           | Required |
| :--------- | :---------------------------------------------------- | :------- |
| Alert ID   | Column name from parent table containing activity ID. | Required |

### Output

A JSON object containing activity object.


``` {json}{
   "_id":"60255329369efb920b8e8e4f",
   "contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "description":"<p>The user tango bango (tango@qrrush.onmicrosoft.com) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
   "entities":[
      {
         "id":20595,
         "type":"service",
         "label":"Microsoft Cloud App Security"
      },
      {
         "countryCode":"SE",
         "id":"77.111.245.14",
         "type":"ip",
         "triggeredAlert":true,
         "label":"77.111.245.14"
      },
      {
         "countryCode":"IN",
         "id":"49.36.149.102",
         "type":"ip",
         "triggeredAlert":true,
         "label":"49.36.149.102"
      },
      {
         "label":"IN",
         "id":"IN",
         "type":"country"
      },
      {
         "label":"SE",
         "id":"SE",
         "type":"country"
      },
      {
         "policyType":"ANOMALY_DETECTION",
         "id":"60233090e39f5c3e5a17877a",
         "label":"Impossible travel",
         "type":"policyRule"
      },
      {
         "pa":"tango@qrrush.onmicrosoft.com",
         "saas":11161,
         "entityType":1,
         "inst":0,
         "label":"tango bango",
         "id":"tango@qrrush.onmicrosoft.com",
         "type":"account"
      },
      {
         "label":"tango@qrrush.onmicrosoft.com",
         "id":"tango@qrrush.onmicrosoft.com",
         "type":"user"
      }
   ],
   "idValue":15859716,
   "isPreview":false,
   "isSystemAlert":false,
   "severityValue":1,
   "statusValue":0,
   "stories":[
      0
   ],
   "threatScore":0,
   "timestamp":1613003330378,
   "title":"Impossible travel activity",
   "comment":"closed by Indrajeet",
   "handledByUser":"tango@qrrush.onmicrosoft.com",
   "resolveTime":"2021-02-13T07:44:41.063Z",
   "URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
   "error":null,
   "has_error":false
}

Close Alert

Close alert of microsoft cloud app security

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Close Status

Column name from parent table containing close status. Selected parent table column can have values: ("Benign", "False Positive", or "True Positive").

Required

Filter

Jinja-template for json of filters. Reference for all the options: https://docs.microsoft.com/en-us/cloud-app-security/api-activities#filters.

Example filter: {"id": {"eq": ["id1", "{{column_name_from_parent_table}}"]}}

Required

Comment

Column name from parent table containing a comment about why the alerts are dismissed.

Required

Reason ID

Column name from parent table providing a reason which helps improve the accuracy of the detection over time. Not used for True Positive. Selected parent table column can have values Possible values for Benign: 2, 4, 5, 6 Possible values for False Positive: 0, 1, 3, 4

Required

Send Feedback

Column name from parent table indicating that feedback about this alert is provided. Parent table should contain either true / false. (Default is false).

Required

Feedback Text

Column name from the parent table containing text of the feedback.

Required

Allow Contact

Column name from parent table containing a boolean value indicating that consent to contact the user is provided. Selected parent table column should contain either true / false. (Default is false).

Required

Contact Email

The email address of the user.

Required

Output

A JSON object containing multiple rows of result:

...

Code Block
## Mark Alert

Mark alert read / unread

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name  | Description                                                                                                          | Required |
| :---------- | :------------------------------------------------------------------------------------------------------------------- | :------- |
| Alert ID    | Column name from parent table containing activity ID.                                                                | Required |
| Mark Status | Column name from parent table containing mark status. Selected parent table column can have values: (UNREAD / READ). | Required |

### Output

A JSON object containing the alert updated.


``` {json}{
   "_id":"60255329369efb920b8e8e4f",
   "contextId":"2d97f757-5a31-46a8-a957-3890738e1a25",
   "description":"<p>The user tango bango (tango@qrrush.onmicrosoft.com) performed an impossible travel activity.<br>The user was active from 49.36.149.102 in India and 77.111.245.14 in Sweden within 219 minutes.<br>If these are IP addresses that are known and safe, add them in the <a href=\"#/subnet\">IP address range page</a> to improve the accuracy of the alerts.</p>",
   "entities":[
      {
         "id":20595,
         "type":"service",
         "label":"Microsoft Cloud App Security"
      },
      {
         "countryCode":"SE",
         "id":"77.111.245.14",
         "type":"ip",
         "triggeredAlert":true,
         "label":"77.111.245.14"
      },
      {
         "countryCode":"IN",
         "id":"49.36.149.102",
         "type":"ip",
         "triggeredAlert":true,
         "label":"49.36.149.102"
      },
      {
         "label":"IN",
         "id":"IN",
         "type":"country"
      },
      {
         "label":"SE",
         "id":"SE",
         "type":"country"
      },
      {
         "policyType":"ANOMALY_DETECTION",
         "id":"60233090e39f5c3e5a17877a",
         "label":"Impossible travel",
         "type":"policyRule"
      },
      {
         "pa":"tango@qrrush.onmicrosoft.com",
         "saas":11161,
         "entityType":1,
         "inst":0,
         "label":"tango bango",
         "id":"tango@qrrush.onmicrosoft.com",
         "type":"account"
      },
      {
         "label":"tango@qrrush.onmicrosoft.com",
         "id":"tango@qrrush.onmicrosoft.com",
         "type":"user"
      }
   ],
   "idValue":15859716,
   "isPreview":false,
   "isSystemAlert":false,
   "severityValue":1,
   "statusValue":0,
   "stories":[
      0
   ],
   "threatScore":0,
   "timestamp":1613003330378,
   "title":"Impossible travel activity",
   "comment":"closed by Indrajeet",
   "handledByUser":"tango@qrrush.onmicrosoft.com",
   "resolveTime":"2021-02-13T08:55:02.240Z",
   "URL":"https://qrrush.portal.cloudappsecurity.com/#/alerts/60255329369efb920b8e8e4f",
   "error":null,
   "has_error":false
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

...