Defender for Cloud Apps
Microsoft Defender for Cloud Apps gives you visibility into your cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats and enables you to control how your data travels.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Power Automate | Standard | All Power Automate regions except the following: - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Power Apps | Standard | All Power Apps regions except the following: - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Contact | |
|---|---|
| Name | Microsoft |
| URL | Microsoft Power Automate Support Microsoft Power Apps Support |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| Website | https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security |
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API Key | securestring | The API Key for this api | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| [DEPRECATED] Dismiss Defender for Cloud Apps alert |
Dismiss Defender for Cloud Apps alert by alert ID (deprecated version) |
| [DEPRECATED] Resolve Defender for Cloud Apps alert |
Resolve Defender for Cloud Apps alert by alert ID (deprecated version) |
| Close Defender for Cloud Apps alert as benign |
Close Defender for Cloud Apps alert by alert ID as benign |
| Close Defender for Cloud Apps alert as false positive |
Close Defender for Cloud Apps alert by alert ID as false positive |
| Close Defender for Cloud Apps alert as true positive |
Close Defender for Cloud Apps alert by alert ID as true positive |
| Disable Defender for Cloud Apps policy |
Disable Defender for Cloud Apps policy by policy ID |
| Enable Defender for Cloud Apps policy |
Enable Defender for Cloud Apps policy by policy ID |
| Get Defender for Cloud Apps activities |
Get Defender for Cloud Apps activities performed by Microsoft Entra ID user ID |
| Get Defender for Cloud Apps open alerts |
Get Defender for Cloud Apps open alerts |
| Get Defender for Cloud Apps policy |
Get Defender for Cloud Apps policy by policy ID |
| Tag app as sanctioned |
Tag app as sanctioned by app ID |
| Tag app as unsanctioned |
Tag app as unsanctioned by app ID |
[DEPRECATED] Dismiss Defender for Cloud Apps alert
Dismiss Defender for Cloud Apps alert by alert ID (deprecated version)
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Dismissal comment
|
comment | string |
Comment |
[DEPRECATED] Resolve Defender for Cloud Apps alert
Resolve Defender for Cloud Apps alert by alert ID (deprecated version)
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Close Defender for Cloud Apps alert as benign
Close Defender for Cloud Apps alert by alert ID as benign
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Close Defender for Cloud Apps alert as false positive
Close Defender for Cloud Apps alert by alert ID as false positive
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Close Defender for Cloud Apps alert as true positive
Close Defender for Cloud Apps alert by alert ID as true positive
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Disable Defender for Cloud Apps policy
Disable Defender for Cloud Apps policy by policy ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Provider policy ID
|
policy_id | True | string |
Enter provider policy ID... |
Enable Defender for Cloud Apps policy
Enable Defender for Cloud Apps policy by policy ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Provider policy ID
|
policy_id | True | string |
Enter provider policy ID... |
Get Defender for Cloud Apps activities
Get Defender for Cloud Apps activities performed by Microsoft Entra ID user ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Limit
|
limit | integer |
Enter limit... |
|
|
Microsoft Entra ID User ID
|
id | True | string |
Enter Microsoft Entra ID User ID... |
Returns
- Activities
- ActivitiesAPIResult
Get Defender for Cloud Apps open alerts
Get Defender for Cloud Apps open alerts
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Limit
|
limit | integer |
Enter limit... |
Returns
- Open alerts
- AlertsAPIResult
Get Defender for Cloud Apps policy
Get Defender for Cloud Apps policy by policy ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Provider policy ID
|
policy_id | True | string |
Enter provider policy ID... |
Returns
- Policy
- PolicyAPIResult
Tag app as sanctioned
Tag app as sanctioned by app ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Cloud Application
|
app_id | True | integer |
Enter Cloud Application ID... |
Tag app as unsanctioned
Tag app as unsanctioned by app ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Cloud Application
|
app_id | True | integer |
Enter Cloud Application ID... |
Triggers
| When an alert is generated |
Triggers when a Defender for Cloud Apps alert is generated. After configuring your flow, go to the Defender for Cloud Apps policy page, and specify this flow in one of your policies. |
When an alert is generated
Triggers when a Defender for Cloud Apps alert is generated. After configuring your flow, go to the Defender for Cloud Apps policy page, and specify this flow in one of your policies.
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Version
|
Version | string |
The version of the alert schema |
|
VendorName
|
VendorName | string |
The name of the vendor that raised the alert |
|
ProviderName
|
ProviderName | string |
The name of the vendor that raised the alert |
|
AlertType
|
AlertType | string |
The type name of the alert |
|
StartTimeUtc
|
StartTimeUtc | date-time |
The impact start time of the alert (the time of the first event contributing to the alert) |
|
EndTimeUtc
|
EndTimeUtc | date-time |
The impact end time of the alert (the time of the last event contributing to the alert) |
|
TimeGenerated
|
TimeGenerated | date-time |
The time the alert was generated by CAS |
|
Severity
|
Severity | string |
The severity of the alert |
|
ProviderAlertId
|
ProviderAlertId | string |
Unique ID for the specific alert instance |
|
ProviderPolicyId
|
ProviderPolicyId | string |
ID of the MCAS policy that triggered the alert |
|
CorrelationKey
|
CorrelationKey | string |
Used to group similar or duplicate alerts |
|
AzureResourceId
|
AzureResourceId | string |
The full ARM resource identifier for the cloud resource being alerted on |
|
CompromisedEntity
|
CompromisedEntity | string |
Display name of the main entity being reported on |
|
AlertDisplayName
|
AlertDisplayName | string |
The display name of the alert |
|
Description
|
Description | string |
Alert description |
|
RemediationSteps
|
RemediationSteps | array of string |
Manual action items to take to remediate the alert |
|
Component
|
Metadata.Component | string |
Component |
|
ComponentVersion
|
Metadata.ComponentVersion | string |
ComponentVersion |
|
TenantId
|
Metadata.TenantId | string |
TenantId |
|
MCASTenantId
|
Metadata.MCASTenantId | string |
MCASTenantId |
|
MCASDC
|
Metadata.MCASDC | date-time |
MCASDC |
|
DuplicateAlertsContextId
|
Metadata.DuplicateAlertsContextId | string |
DuplicateAlertsContextId |
|
MCASAlertCategory
|
Metadata.MCASAlertCategory | string |
MCASAlertCategory |
|
IP Addresses
|
ExtendedProperties.IP Addresses | string |
IP addresses related to the alert |
|
Cloud Applications
|
ExtendedProperties.Cloud Applications | string |
Cloud applications related to the alert |
|
Countries
|
ExtendedProperties.Countries | string |
Countries related to the alert |
|
Entities
|
Entities | array of object |
A list of entities related to the alert. This list can hold a mixture of entities of diverse types. |
|
Type
|
Entities.Type | string |
Type of the entity |
|
Name
|
Entities.Name | string |
Name of the entity |
|
AadTenantId
|
Entities.AadTenantId | string |
Microsoft Entra ID Tenant ID of an account entity |
|
AadUserId
|
Entities.AadUserId | string |
Microsoft Entra ID User ID of an account entity |
|
UPNSuffix
|
Entities.UPNSuffix | string |
UPN Suffix of an account entity |
|
Address
|
Entities.Address | string |
IP Address of an IP entity |
|
ResourceId
|
Entities.ResourceId | string |
ResourceId of an Azure resource entity |
|
Domains
|
Entities.Domains | array of string |
List of domains of a cloud application entity |
|
ExtendedLinks
|
ExtendedLinks | array of object |
A list of links related to the alert. This list can hold a mixture of links of diverse types. |
|
Type
|
ExtendedLinks.Type | string |
Link type |
|
Category
|
ExtendedLinks.Category | string |
Link category |
|
Label
|
ExtendedLinks.Label | string |
Link label |
|
Href
|
ExtendedLinks.Href | string |
Link address |
Definitions
ActivitiesAPIResult
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | ActivitiesData |
Activities by Microsoft Entra ID user ID |
ActivitiesData
Activities by Microsoft Entra ID user ID
| Name | Path | Type | Description |
|---|---|---|---|
|
Items
|
object |
AlertsAPIResult
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | AlertsData |
Get open alerts |
AlertsData
Get open alerts
| Name | Path | Type | Description |
|---|---|---|---|
|
Items
|
object |
PolicyAPIResult
| Name | Path | Type | Description |
|---|---|---|---|
|
Name
|
name | PolicyName |
The name of the policy |
|
Description
|
description | PolicyDescription |
The description of the policy |
|
Type
|
policyType | PolicyType |
The type of the policy |
|
Daily alert limit
|
alertDailyLimit | DailyAlertLimit |
Daily limit of generated alerts |
|
Last modified
|
lastModified | LastModified |
Last modified timestamp |