Microsoft Defender for Cloud Apps
App Vendor: Microsoft
App Category: IT Services
Connector Version: 1.0.0
API Version: 1.0.0
About App
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that operates on multiple clouds and provides visibility, control over data travel, and analytics to identify and combat cyber threats across cloud services. In Orchestrate, Microsoft Defender for Cloud Apps app enables security analysts to retrieve the activity details of IP addresses and users. The app also enables security analysts to set custom filters to retrieve activity search details.
The Microsoft Defender for Cloud Apps app is configured with the Orchestrate application to perform the following actions.
Action Name | Description |
|---|---|
Get Activities Advanced | This action sets custom filters on a get activities search. |
Get Activities for IP Address | This action retrieves all activities for an IP address for a specific time range. |
Get Activities for User | This action retrieves the activities of a user for a specific time range. |
Configuration Parameters
The following configuration parameters are required for the Microsoft Defender for Cloud Apps app to communicate with the Microsoft Defender for Cloud Apps enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL of the Microsoft Defender for Cloud Apps instance. Example: "https://sampledomain.cloudappsecurity.com" | Text | Required | |
Authentication Token | Enter the authentication token to connect to the Microsoft Defender for Cloud Apps instance. Example: "HlxdF0sfAVpcHXFfBF1bTkMXXNAWktOX19xSkvaXUZbxxgdfDQEJTFxxOHk1XXXXS11eGUxKGhkJKLgcGBZKSRwbGB0YHU0YSertGRZMGRhKSksZTBgXTBcZGx0eHVwZFa5KFkaOWg==" | Password | Required |
Action: Get Activities Advanced
This action sets custom filters on a get activities search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filter parameters and values in JSON format to filter the results. Example: $JSON[{"filters": {"ip.address": "192.168.1.1", "date": {"endtime": "2022-08-02t00:00:00z", "starttime": "2022-01-01t00:00:00z"}}, "limit": 1}] | Any | Required |
|
Example Request
[
{
"filters": {
"limit": 1,
"filters": {
"date": {
"endTime": "2022-08-02T00:00:00Z",
"startTime": "2022-01-01T00:00:00Z"
},
"ip.address": "192.168.1.1"
}
}
}
]Action: Get Activities for IP Address
This action retrieves all activities for an IP address for a specific time range.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address to retrieve the activity details. Example: "192.168.1.1" | Text | Required |
|
Start Time | Enter the start time to retrieve the activities that are added after this time. Example: "2022-01-01:01:01:01" | Text | Required | You can enter the exact or relative value of the start time. Example: Exact time: "2022-01-01:01:01:01" Relative time: "5 minutes ago" or "1 week ago" |
End Time | Enter the end time to retrieve the activities that are added before this time. Example: "2022-01-02:01:01:01" | Text | Required | You can enter the exact or relative value of the end time. Exact time: "2022-01-02:01:01:01" Relative time: "5 minutes ago" or "1 week ago" |
Limit | Enter the maximum number of results to retrieve. Example: 100 | Integer | Optional | Default value: 100 |
Example Request
[
{
"limit": "100",
"end_time": "2022-01-02:01:01:01",
"ip_address": "192.168.1.1",
"start_time": "2022-01-01:01:01:01"
}
]Action: Get Activities for User
This action retrieves the activities of a user for a specific time range.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID of a user to retrieve the activity details. Example: "conteso@cyware.com" | Text | Required | |
Start Time | Enter the start time to retrieve the activities that are added after this time. Example: "2022-01-01:01:01:01" | Text | Required | You can enter the exact or relative value of the start time. Example: Exact time: "2022-01-01:01:01:01" Relative time: "5 minutes ago" or "1 week ago" |
End Time | Enter the end time to retrieve the activities that are added before this time. Example: "2022-01-02:01:01:01" | Text | Required | You can enter the exact or relative value of the end time. Exact time: "2022-01-02:01:01:01" Relative time: "5 minutes ago" or "1 week ago" |
Limit | Enter the maximum number of results to retrieve. Example: 100 | Integer | Optional | Default value: 100 |
Example Request
[
{
"limit": "100",
"user_id": "conteso@cyware.com",
"end_time": "2022-01-02:01:01:01",
"start_time": "2022-01-01:01:01:01"
}
]