Defender for Cloud Apps

Microsoft Defender for Cloud Apps gives you visibility into your cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats and enables you to control how your data travels.

This connector is available in the following products and regions:

Service Class Regions
Power Automate Standard All Power Automate regions except the following:
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Standard All Power Apps regions except the following:
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
API Key securestring The API Key for this api True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

[DEPRECATED] Dismiss Defender for Cloud Apps alert

Dismiss Defender for Cloud Apps alert by alert ID (deprecated version)

[DEPRECATED] Resolve Defender for Cloud Apps alert

Resolve Defender for Cloud Apps alert by alert ID (deprecated version)

Close Defender for Cloud Apps alert as benign

Close Defender for Cloud Apps alert by alert ID as benign

Close Defender for Cloud Apps alert as false positive

Close Defender for Cloud Apps alert by alert ID as false positive

Close Defender for Cloud Apps alert as true positive

Close Defender for Cloud Apps alert by alert ID as true positive

Disable Defender for Cloud Apps policy

Disable Defender for Cloud Apps policy by policy ID

Enable Defender for Cloud Apps policy

Enable Defender for Cloud Apps policy by policy ID

Get Defender for Cloud Apps activities

Get Defender for Cloud Apps activities performed by Microsoft Entra ID user ID

Get Defender for Cloud Apps open alerts

Get Defender for Cloud Apps open alerts

Get Defender for Cloud Apps policy

Get Defender for Cloud Apps policy by policy ID

Tag app as sanctioned

Tag app as sanctioned by app ID

Tag app as unsanctioned

Tag app as unsanctioned by app ID

[DEPRECATED] Dismiss Defender for Cloud Apps alert

Dismiss Defender for Cloud Apps alert by alert ID (deprecated version)

Parameters

Name Key Required Type Description
eq
eq True array of string

eq

Dismissal comment
comment string

Comment

[DEPRECATED] Resolve Defender for Cloud Apps alert

Resolve Defender for Cloud Apps alert by alert ID (deprecated version)

Parameters

Name Key Required Type Description
eq
eq True array of string

eq

Resolution comment
comment string

Comment

Close Defender for Cloud Apps alert as benign

Close Defender for Cloud Apps alert by alert ID as benign

Parameters

Name Key Required Type Description
eq
eq True array of string

eq

Resolution comment
comment string

Comment

Close Defender for Cloud Apps alert as false positive

Close Defender for Cloud Apps alert by alert ID as false positive

Parameters

Name Key Required Type Description
eq
eq True array of string

eq

Resolution comment
comment string

Comment

Close Defender for Cloud Apps alert as true positive

Close Defender for Cloud Apps alert by alert ID as true positive

Parameters

Name Key Required Type Description
eq
eq True array of string

eq

Resolution comment
comment string

Comment

Disable Defender for Cloud Apps policy

Disable Defender for Cloud Apps policy by policy ID

Parameters

Name Key Required Type Description
Provider policy ID
policy_id True string

Enter provider policy ID...

Enable Defender for Cloud Apps policy

Enable Defender for Cloud Apps policy by policy ID

Parameters

Name Key Required Type Description
Provider policy ID
policy_id True string

Enter provider policy ID...

Get Defender for Cloud Apps activities

Get Defender for Cloud Apps activities performed by Microsoft Entra ID user ID

Parameters

Name Key Required Type Description
Limit
limit integer

Enter limit...

Microsoft Entra ID User ID
id True string

Enter Microsoft Entra ID User ID...

Returns

Activities
ActivitiesAPIResult

Get Defender for Cloud Apps open alerts

Get Defender for Cloud Apps open alerts

Parameters

Name Key Required Type Description
Limit
limit integer

Enter limit...

Returns

Open alerts
AlertsAPIResult

Get Defender for Cloud Apps policy

Get Defender for Cloud Apps policy by policy ID

Parameters

Name Key Required Type Description
Provider policy ID
policy_id True string

Enter provider policy ID...

Returns

Tag app as sanctioned

Tag app as sanctioned by app ID

Parameters

Name Key Required Type Description
Cloud Application
app_id True integer

Enter Cloud Application ID...

Tag app as unsanctioned

Tag app as unsanctioned by app ID

Parameters

Name Key Required Type Description
Cloud Application
app_id True integer

Enter Cloud Application ID...

Triggers

When an alert is generated

Triggers when a Defender for Cloud Apps alert is generated. After configuring your flow, go to the Defender for Cloud Apps policy page, and specify this flow in one of your policies.

When an alert is generated

Triggers when a Defender for Cloud Apps alert is generated. After configuring your flow, go to the Defender for Cloud Apps policy page, and specify this flow in one of your policies.

Returns

Name Path Type Description
Version
Version string

The version of the alert schema

VendorName
VendorName string

The name of the vendor that raised the alert

ProviderName
ProviderName string

The name of the vendor that raised the alert

AlertType
AlertType string

The type name of the alert

StartTimeUtc
StartTimeUtc date-time

The impact start time of the alert (the time of the first event contributing to the alert)

EndTimeUtc
EndTimeUtc date-time

The impact end time of the alert (the time of the last event contributing to the alert)

TimeGenerated
TimeGenerated date-time

The time the alert was generated by CAS

Severity
Severity string

The severity of the alert

ProviderAlertId
ProviderAlertId string

Unique ID for the specific alert instance

ProviderPolicyId
ProviderPolicyId string

ID of the MCAS policy that triggered the alert

CorrelationKey
CorrelationKey string

Used to group similar or duplicate alerts

AzureResourceId
AzureResourceId string

The full ARM resource identifier for the cloud resource being alerted on

CompromisedEntity
CompromisedEntity string

Display name of the main entity being reported on

AlertDisplayName
AlertDisplayName string

The display name of the alert

Description
Description string

Alert description

RemediationSteps
RemediationSteps array of string

Manual action items to take to remediate the alert

Component
Metadata.Component string

Component

ComponentVersion
Metadata.ComponentVersion string

ComponentVersion

TenantId
Metadata.TenantId string

TenantId

MCASTenantId
Metadata.MCASTenantId string

MCASTenantId

MCASDC
Metadata.MCASDC date-time

MCASDC

DuplicateAlertsContextId
Metadata.DuplicateAlertsContextId string

DuplicateAlertsContextId

MCASAlertCategory
Metadata.MCASAlertCategory string

MCASAlertCategory

IP Addresses
ExtendedProperties.IP Addresses string

IP addresses related to the alert

Cloud Applications
ExtendedProperties.Cloud Applications string

Cloud applications related to the alert

Countries
ExtendedProperties.Countries string

Countries related to the alert

Entities
Entities array of object

A list of entities related to the alert. This list can hold a mixture of entities of diverse types.

Type
Entities.Type string

Type of the entity

Name
Entities.Name string

Name of the entity

AadTenantId
Entities.AadTenantId string

Microsoft Entra ID Tenant ID of an account entity

AadUserId
Entities.AadUserId string

Microsoft Entra ID User ID of an account entity

UPNSuffix
Entities.UPNSuffix string

UPN Suffix of an account entity

Address
Entities.Address string

IP Address of an IP entity

ResourceId
Entities.ResourceId string

ResourceId of an Azure resource entity

Domains
Entities.Domains array of string

List of domains of a cloud application entity

ExtendedLinks
ExtendedLinks array of object

A list of links related to the alert. This list can hold a mixture of links of diverse types.

Type
ExtendedLinks.Type string

Link type

Category
ExtendedLinks.Category string

Link category

Label
ExtendedLinks.Label string

Link label

Href
ExtendedLinks.Href string

Link address

Definitions

ActivitiesAPIResult

Name Path Type Description
data
data ActivitiesData

Activities by Microsoft Entra ID user ID

ActivitiesData

Activities by Microsoft Entra ID user ID

Name Path Type Description
Items
object

AlertsAPIResult

Name Path Type Description
data
data AlertsData

Get open alerts

AlertsData

Get open alerts

Name Path Type Description
Items
object

PolicyAPIResult

Name Path Type Description
Name
name PolicyName

The name of the policy

Description
description PolicyDescription

The description of the policy

Type
policyType PolicyType

The type of the policy

Daily alert limit
alertDailyLimit DailyAlertLimit

Daily limit of generated alerts

Last modified
lastModified LastModified

Last modified timestamp

PolicyName

The name of the policy

The name of the policy

Name
string

PolicyDescription

The description of the policy

The description of the policy

Description
string

PolicyType

The type of the policy

The type of the policy

Type
string

DailyAlertLimit

Daily limit of generated alerts

Daily limit of generated alerts

Daily alert limit
integer

LastModified

Last modified timestamp

Last modified timestamp

Last modified
number