Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Defender for Cloud Apps
Microsoft Defender for Cloud Apps gives you visibility into your cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats and enables you to control how your data travels.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Copilot Studio | Standard | All Power Automate regions except the following: - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Power Apps | Standard | All Power Apps regions except the following: - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Power Automate | Standard | All Power Automate regions except the following: - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Contact | |
|---|---|
| Name | Microsoft |
| URL | Microsoft Power Automate Support Microsoft Power Apps Support |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| Website | https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security |
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API Key | securestring | The API Key for this api | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| [DEPRECATED] Dismiss Defender for Cloud Apps alert |
Dismiss Defender for Cloud Apps alert by alert ID (deprecated version) |
| [DEPRECATED] Resolve Defender for Cloud Apps alert |
Resolve Defender for Cloud Apps alert by alert ID (deprecated version) |
| Close Defender for Cloud Apps alert as benign |
Close Defender for Cloud Apps alert by alert ID as benign |
| Close Defender for Cloud Apps alert as false positive |
Close Defender for Cloud Apps alert by alert ID as false positive |
| Close Defender for Cloud Apps alert as true positive |
Close Defender for Cloud Apps alert by alert ID as true positive |
| Disable Defender for Cloud Apps policy |
Disable Defender for Cloud Apps policy by policy ID |
| Enable Defender for Cloud Apps policy |
Enable Defender for Cloud Apps policy by policy ID |
| Get Defender for Cloud Apps activities |
Get Defender for Cloud Apps activities performed by Microsoft Entra ID user ID |
| Get Defender for Cloud Apps open alerts |
Get Defender for Cloud Apps open alerts |
| Get Defender for Cloud Apps policy |
Get Defender for Cloud Apps policy by policy ID |
| Tag app as sanctioned |
Tag app as sanctioned by app ID |
| Tag app as unsanctioned |
Tag app as unsanctioned by app ID |
[DEPRECATED] Dismiss Defender for Cloud Apps alert
- Operation ID:
- MCAS_DISMISS_ALERT
Dismiss Defender for Cloud Apps alert by alert ID (deprecated version)
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Dismissal comment
|
comment | string |
Comment |
[DEPRECATED] Resolve Defender for Cloud Apps alert
- Operation ID:
- MCAS_RESOLVE_ALERT
Resolve Defender for Cloud Apps alert by alert ID (deprecated version)
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Close Defender for Cloud Apps alert as benign
- Operation ID:
- MCAS_CLOSE_ALERT_BENIGN
Close Defender for Cloud Apps alert by alert ID as benign
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Close Defender for Cloud Apps alert as false positive
- Operation ID:
- MCAS_CLOSE_ALERT_FALSE_POSITIVE
Close Defender for Cloud Apps alert by alert ID as false positive
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Close Defender for Cloud Apps alert as true positive
- Operation ID:
- MCAS_CLOSE_ALERT_TRUE_POSITIVE
Close Defender for Cloud Apps alert by alert ID as true positive
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
eq
|
eq | True | array of string |
eq |
|
Resolution comment
|
comment | string |
Comment |
Disable Defender for Cloud Apps policy
- Operation ID:
- MCAS_DISABLE_POLICY
Disable Defender for Cloud Apps policy by policy ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Provider policy ID
|
policy_id | True | string |
Enter provider policy ID... |
Enable Defender for Cloud Apps policy
- Operation ID:
- MCAS_ENABLE_POLICY
Enable Defender for Cloud Apps policy by policy ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Provider policy ID
|
policy_id | True | string |
Enter provider policy ID... |
Get Defender for Cloud Apps activities
- Operation ID:
- MCAS_GET_ACTIVITIES
Get Defender for Cloud Apps activities performed by Microsoft Entra ID user ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Limit
|
limit | integer |
Enter limit... |
|
|
Microsoft Entra ID User ID
|
id | True | string |
Enter Microsoft Entra ID User ID... |
Returns
- Activities
- ActivitiesAPIResult
Get Defender for Cloud Apps open alerts
- Operation ID:
- MCAS_GET_OPEN_ALERTS
Get Defender for Cloud Apps open alerts
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Limit
|
limit | integer |
Enter limit... |
Returns
- Open alerts
- AlertsAPIResult
Get Defender for Cloud Apps policy
- Operation ID:
- MCAS_GET_POLICY
Get Defender for Cloud Apps policy by policy ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Provider policy ID
|
policy_id | True | string |
Enter provider policy ID... |
Returns
- Policy
- PolicyAPIResult
Tag app as sanctioned
- Operation ID:
- MCAS_TAG_APP_SANCTIONED
Tag app as sanctioned by app ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Cloud Application
|
app_id | True | integer |
Enter Cloud Application ID... |
Tag app as unsanctioned
- Operation ID:
- MCAS_TAG_APP_UNSANCTIONED
Tag app as unsanctioned by app ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Cloud Application
|
app_id | True | integer |
Enter Cloud Application ID... |
Triggers
| When an alert is generated |
Triggers when a Defender for Cloud Apps alert is generated. After configuring your flow, go to the Defender for Cloud Apps policy page, and specify this flow in one of your policies. |
When an alert is generated
- Operation ID:
- MCAS_ON_ALERT_GENERATED
Triggers when a Defender for Cloud Apps alert is generated. After configuring your flow, go to the Defender for Cloud Apps policy page, and specify this flow in one of your policies.
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Version
|
Version | string |
The version of the alert schema |
|
VendorName
|
VendorName | string |
The name of the vendor that raised the alert |
|
ProviderName
|
ProviderName | string |
The name of the vendor that raised the alert |
|
AlertType
|
AlertType | string |
The type name of the alert |
|
StartTimeUtc
|
StartTimeUtc | date-time |
The impact start time of the alert (the time of the first event contributing to the alert) |
|
EndTimeUtc
|
EndTimeUtc | date-time |
The impact end time of the alert (the time of the last event contributing to the alert) |
|
TimeGenerated
|
TimeGenerated | date-time |
The time the alert was generated by CAS |
|
Severity
|
Severity | string |
The severity of the alert |
|
ProviderAlertId
|
ProviderAlertId | string |
Unique ID for the specific alert instance |
|
ProviderPolicyId
|
ProviderPolicyId | string |
ID of the MCAS policy that triggered the alert |
|
CorrelationKey
|
CorrelationKey | string |
Used to group similar or duplicate alerts |
|
AzureResourceId
|
AzureResourceId | string |
The full ARM resource identifier for the cloud resource being alerted on |
|
CompromisedEntity
|
CompromisedEntity | string |
Display name of the main entity being reported on |
|
AlertDisplayName
|
AlertDisplayName | string |
The display name of the alert |
|
Description
|
Description | string |
Alert description |
|
RemediationSteps
|
RemediationSteps | array of string |
Manual action items to take to remediate the alert |
|
Component
|
Metadata.Component | string |
Component |
|
ComponentVersion
|
Metadata.ComponentVersion | string |
ComponentVersion |
|
TenantId
|
Metadata.TenantId | string |
TenantId |
|
MCASTenantId
|
Metadata.MCASTenantId | string |
MCASTenantId |
|
MCASDC
|
Metadata.MCASDC | date-time |
MCASDC |
|
DuplicateAlertsContextId
|
Metadata.DuplicateAlertsContextId | string |
DuplicateAlertsContextId |
|
MCASAlertCategory
|
Metadata.MCASAlertCategory | string |
MCASAlertCategory |
|
IP Addresses
|
ExtendedProperties.IP Addresses | string |
IP addresses related to the alert |
|
Cloud Applications
|
ExtendedProperties.Cloud Applications | string |
Cloud applications related to the alert |
|
Countries
|
ExtendedProperties.Countries | string |
Countries related to the alert |
|
Entities
|
Entities | array of object |
A list of entities related to the alert. This list can hold a mixture of entities of diverse types. |
|
Type
|
Entities.Type | string |
Type of the entity |
|
Name
|
Entities.Name | string |
Name of the entity |
|
AadTenantId
|
Entities.AadTenantId | string |
Microsoft Entra ID Tenant ID of an account entity |
|
AadUserId
|
Entities.AadUserId | string |
Microsoft Entra ID User ID of an account entity |
|
UPNSuffix
|
Entities.UPNSuffix | string |
UPN Suffix of an account entity |
|
Address
|
Entities.Address | string |
IP Address of an IP entity |
|
ResourceId
|
Entities.ResourceId | string |
ResourceId of an Azure resource entity |
|
Domains
|
Entities.Domains | array of string |
List of domains of a cloud application entity |
|
ExtendedLinks
|
ExtendedLinks | array of object |
A list of links related to the alert. This list can hold a mixture of links of diverse types. |
|
Type
|
ExtendedLinks.Type | string |
Link type |
|
Category
|
ExtendedLinks.Category | string |
Link category |
|
Label
|
ExtendedLinks.Label | string |
Link label |
|
Href
|
ExtendedLinks.Href | string |
Link address |
Definitions
ActivitiesAPIResult
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | ActivitiesData |
Activities by Microsoft Entra ID user ID |
ActivitiesData
Activities by Microsoft Entra ID user ID
| Name | Path | Type | Description |
|---|---|---|---|
|
Items
|
object |
AlertsAPIResult
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | AlertsData |
Get open alerts |
AlertsData
Get open alerts
| Name | Path | Type | Description |
|---|---|---|---|
|
Items
|
object |
PolicyAPIResult
| Name | Path | Type | Description |
|---|---|---|---|
|
Name
|
name | PolicyName |
The name of the policy |
|
Description
|
description | PolicyDescription |
The description of the policy |
|
Type
|
policyType | PolicyType |
The type of the policy |
|
Daily alert limit
|
alertDailyLimit | DailyAlertLimit |
Daily limit of generated alerts |
|
Last modified
|
lastModified | LastModified |
Last modified timestamp |