Microsoft CASB
App Vendor: Microsoft
App Category: Network Security
Connector Version: 1.1.0
API Version: 1.0.0
About App
Microsoft Defender for cloud apps is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data in-transit, and sophisticated analytics to identify and combat cyber threats across all your cloud services.
The Microsoft CASB app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
List Alerts | This action retrieves the list of all alerts from CASB. |
Close Benign Alerts | This action closes benign alerts on CASB. |
Close True Positive Alerts | This action closes true positive alerts on CASB. |
Close False Positive Alerts | This action closes false positive alerts on CASB. |
List Activities | This action retrieves the list of all activities from CASB. |
List Files | This action retrieves the list of all files from CASB. |
List Entities | This action retrieves the list of all entities from CASB. |
Get Alert Details | This action retrieves the details of an alert. |
Mark Alert as Read | This action marks an alert as read. |
Mark Alert as Unread | This action marks an alert as unread. |
Configuration Parameters
The following configuration parameters are required for the Microsoft CASB app to communicate with the Microsoft CASB enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL where Microsoft CASB is hosted. Example: "https://mytenant.us2.contoso.com" | Text | Required | |
Access Token | Enter the access token for Microsoft CASB. | Text | Required | |
Verify | Choose to verify the SSL certificate or not. | Boolean | Optional |
Action: List Alerts
This action retrieves the list of all alerts from CASB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter any filter query to pass. Example: {"alertOpen": ${| default::bool::True}} | Key Value | Optional | To know more about the supported filters see Microsoft Documentation. |
Skip | Enter a value to skip the specified number of records. Example: 3 | Integer | Optional | |
Limit | Enter the maximum number of records to be returned by the request. | Integer | Optional |
Example Request
[
{
"filters": {
{"alertOpen": ${| default::bool::True}},
},
"skip": 5,
"limit": 10
},
]Action: Close Benign Alerts
This action closes benign alerts on CASB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID List | Enter a list of alert IDs to close. Example: $LIST[55af7415fa29eef2e1f,55af741cf8a29eef2e20] | List | Required | |
Comment | Enter a comment pertaining to why the alert was closed. Example: "Actual severity is lower" | Text | Required | |
Reason ID | Enter the reason for closing the alerts as benign. Providing a reason helps improve the accuracy of the detection over time. Example: 4 | Integer | Required | Allowed values:
|
Send feedback | Enter a value to indicate if the feedback about this alert is provided. | Boolean | Required | Allowed values:
Default value: False |
Feedback text | Enter the text of the feedback. Example: "This is an example feedback" | Text | Optional |
Example Request
[
{
"id": {
"eq": [
"55af7415f8a0a7a29eef2e1f",
"55af741cf8a0a7a29eef2e20",
"5f8d70bfc1ffb25b0a541c7d"
]
},
"comment": "Actual severity is lower",
"reasonId": 4,
"sendFeedback": true,
"feedbackText": "This is an example feedback",
},
]Action: Close True Positive Alerts
This action closes true positive alerts on CASB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID list | Enter a list of alert IDs to close. Example: $LIST[55af7415fa29eef2e1f,55af741cf8a29eef2e20] | List | Required | |
Comment | Enter a comment pertaining to why the alert was closed. Example: "Resolution Provided" | Text | Required | |
Send Feedback | Enter a value to indicate if the feedback about this alert is provided. Example: true | Boolean | Required | Allowed values:
Default value: false |
Feedback Text | Enter the text of the feedback. Example: "This is an example feedback" | Text | Optional |
Example Request
[
{
"id": {
"eq": [
"55af7415f8a0a7a29eef2e1f",
"55af741cf8a0a7a29eef2e20",
"5f8d70bfc1ffb25b0a541c7d"
]
},
"comment": "Actual severity is lower",
"sendFeedback": true,
"feedbackText": "This is an example feedback",
},
]Action: Close False Positive Alerts
This action closes the false positive alerts on CASB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID List | Enter a list of alert IDs to close. Example: $LIST[55af7415fa29eef2e1f,55af741cf8a29eef2e20] | List | Required | |
Comment | Enter a comment pertaining to why the alert was closed. Example: "Resolution Provided" | Text | Required | |
Reason ID | Enter the reason for closing the alerts as false positive. Providing a reason helps improve the accuracy of the detection over time. Example: 4 | Integer | Required | Allowed values:
|
Send Feedback | Enter a value to indicate if the feedback about this alert is provided. Example: true | Boolean | Required | Allowed values:
Default value: false |
Feedback Text | Enter the text of the feedback. Example: "This is an example feedback" | Text | Optional |
Example Request
[
{
"id": {
"eq": [
"55af7415f8a0a7a29eef2e1f",
"55af741cf8a0a7a29eef2e20",
"5f8d70bfc1ffb25b0a541c7d"
]
},
"comment": "Actual severity is lower",
"reasonId": 4,
"sendFeedback": true,
"feedbackText": "This is an example feedback",
},
]Action: List Activities
This action retrieves the list of all activities from CASB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter any filter query to pass. Example: [{ "taken_action" : "block" }] | Key Value | Optional | |
Skip | Enter a value to skip the specified number of records. Example: 4 | Integer | Optional | |
Limit | Enter the maximum number of records to be returned by the request. Example: 50 | Integer | Optional |
Example Request
[
{
"filters": {
"taken_action": "block",
},
"skip": 5,
"limit": 10
},
]Action: List Files
This action retrieves the list of all files from CASB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter any filter query to pass. Example: [{ "file_type" : "Document" }] | Key Value | Optional | |
Skip | Enter a value to skip the specified number of records. Example: 5 | Integer | Optional | |
Limit | Enter the maximum number of records to be returned by the request. Example: 50 | Integer | Optional |
Example Request
[
{
"filters": {
"file_type": "Document",
},
"skip": 5,
"limit": 10
},
]Action: List Entities
This action retrieves the list of all entities from CASB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter any filter query to pass. Example: [{ "id": "entity-id" }] | Key Value | Optional | |
Skip | Skips the specified number of records. Example: 5 | Integer | Optional | |
Limit | Specify the maximum number of records returned by the request. Example: 50 | Integer | Optional |
Example Request
[
{
"filters": {
"id": "entity-id",
},
"skip": 5,
"limit": 10
},
]Action: Get Alert Details
This action retrieves the details of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Alert ID | Enter the ID of an alert to retrieve its details. Example: "55af7415fa29eef2e1f" | Text | Required |
Example Request
[
{
"alert_id":"55af7415fa29eef2e1f"
}
]Action: Mark Alert as Read
This action marks an alert as read.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Alert ID | Enter the ID of an alert to mark it as read. Example: "55af7415fa29eef2e1f" | Text | Required |
Example Request
[
{
"alert_id":"55af7415fa29eef2e1f"
}
]Action: Mark Alert as Unread
This action marks an alert as unread.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Alert ID | Enter the ID of an alert to mark it as unread. Example: "55af7415fa29eef2e1f" | Text | Required |
Example Request
[
{
"alert_id":"55af7415fa29eef2e1f"
}
]