Microsoft Cloud Apps

98 min

the microsoft defender for cloud apps provides programmatic access to defender for cloud apps through rest api endpoints prerequisites the connector requires access token to access defender for cloud apps api with application context for more details, see api authentication https //learn microsoft com/en us/defender cloud apps/api authentication capabilities this connector provides the following capabilities close benign close false positive close true positive create ip address range fetch alert fetch entity fetch entity tree fetch file generate block script initiate file upload list alerts list continuous report category list continuous reports list entities list files and so on close benign for input reasonid , click here to check possible values https //learn microsoft com/en us/defender cloud apps/api alerts close benign close false positive for input reasonid , click here to check possible values https //learn microsoft com/en us/defender cloud apps/api alerts close false positive create ip address range for input category , click here to check possible values https //learn microsoft com/en us/defender cloud apps/api data enrichment create fetch entity the input entity id is a dictionary with the entity id, saas, and instance details encoded as a base64 string for example {"id" "3fa9f28b eb0e 463a ba7b 8089fe9991e2","saas" 11161 ,"inst" 0 } encoded as a base64 string generate block script for input format , following formats are currently supported appliance format bluecoat proxysg 102 cisco asa 104 fortinet fortigate 108 juniper srx 129 palo alto 112 websense 135 zscaler 120 initiate file upload for input source , click here to check supported source type https //learn microsoft com/en us/defender cloud apps/api discovery initiate list alerts for input filters see alert filters https //learn microsoft com/en us/defender cloud apps/api alerts#filters for more details list entities for input sortfield , choose from following values displayname score for input filters see entities filer https //learn microsoft com/en us/defender cloud apps/api entities#filters for more details list files for input filters see file filters https //learn microsoft com/en us/defender cloud apps/api files#filters for more details list ip ranges for input filters see ip range filters https //learn microsoft com/en us/defender cloud apps/api data enrichment#filters for more details the input sortfield is used to sort ip ranges possible values are category tags name manage ip address range for input filters see data enrichment filters https //learn microsoft com/en us/defender cloud apps/api data enrichment#filters for more details update ip address range the input category , is the id of the range category providing a category helps you easily recognize activities from interesting ip addresses possible values include 1 corporate 2 administrative 3 risky 4 vpn 5 cloud provider 6 other configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required access token access token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions close benign close multiple alerts matching the specified filters as benign endpoint url /api/v1/alerts/close benign/ method post input argument name type required description filters object required parameter for close benign comment string optional parameter for close benign reasonid number optional unique identifier sendfeedback boolean optional parameter for close benign feedbacktext string optional parameter for close benign allowcontact boolean optional parameter for close benign contactemail string optional parameter for close benign output parameter type description status code number http status code of the response reason string response reason phrase closed benign number output field closed benign example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 07 34 52 gmt", "content type" "application/json", "content length" "20", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "post, options", "content security policy" "default src 'self'; style src 'self' 'unsafe inline' s microsoft com cdn cloud ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "cadb6340 0767 4a0b b6e8 7c03ee242dea", "set cookie" "cas sessionid=xh7ewkrkc56m21r78813ogb6e4l8mls8; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "closed benign" 13 } } ] close false positive this is a request to close multiple alerts matching the specified filters as false positive endpoint url /api/v1/alerts/close false positive/ method post input argument name type required description filters object required parameter for close false positive comment string optional parameter for close false positive reasonid number optional unique identifier sendfeedback boolean optional parameter for close false positive feedbacktext string optional parameter for close false positive allowcontact boolean optional parameter for close false positive contactemail string optional parameter for close false positive output parameter type description status code number http status code of the response reason string response reason phrase closed false positive number output field closed false positive example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 07 46 02 gmt", "content type" "application/json", "content length" "28", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "post, options", "content security policy" "default src 'self'; script src 'self' 'unsafe eval' 'unsafe inline' dev virtuale ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "0d9ae7f9 6ae5 4aa3 88f9 53dd7d915e23", "set cookie" "cas sessionid=st8ags4e5bqnhn1t2v49pzc0b8yrqtl3; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "closed false positive" 13 } } ] close true positive close multiple alerts matching the specified filters as true positive endpoint url /api/v1/alerts/close true positive/ method post input argument name type required description filters object required parameter for close true positive comment string optional parameter for close true positive sendfeedback boolean optional parameter for close true positive feedbacktext string optional parameter for close true positive allowcontact boolean optional parameter for close true positive contactemail string optional parameter for close true positive output parameter type description status code number http status code of the response reason string response reason phrase closed true positive number output field closed true positive example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 07 46 58 gmt", "content type" "application/json", "content length" "27", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "post, options", "content security policy" "default src 'self'; style src 'self' 'unsafe inline' s microsoft com cdn cloud ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "03c75f53 d5b8 4d3e bb8b 57f7082d0797", "set cookie" "cas sessionid=jgej6w2781q9mw1v9m0221yt8t16gatv; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "closed true positive" 13 } } ] create ip address range run the post request to add a new ip address range endpoint url /api/v1/subnet/create rule/ method post input argument name type required description name string required name of the resource category number optional parameter for create ip address range organization string optional parameter for create ip address range subnets array required parameter for create ip address range tags array optional parameter for create ip address range output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 08 aug 2023 13 00 23 gmt", "content type" "application/json", "content length" "26", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "post, options", "content security policy" "script src 'self' 'unsafe eval' 'unsafe inline' dev virtualearth net cdn cloudap ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "0d231409 732d 4d3e 8c0c 72ca72d49587", "set cookie" "cas sessionid=ifc5lnx9jnrkqna6iem8iep6felfov9i; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" "64d23c67d0b71bb8e300b276" } ] delete ip address range run the delete request to delete an ip address range endpoint url /api/v1/subnet/{{ip range id}}/ method delete input argument name type required description ip range id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 08 aug 2023 13 17 28 gmt", "content length" "0", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, put, patch, delete, head, options", "content security policy" "default src 'self'; style src 'self' 'unsafe inline' s microsoft com cdn cloud ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "d980baba a243 43f0 a1ed d83b6e943f53", "set cookie" "cas sessionid=800p4sk8gd3e7cubxuyzx4f08tmrh5qm; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "response text" "" } ] fetch alert run the get request to fetch the alert matching the specified primary key endpoint url /api/v1/alerts/{{alert id}}/ method get input argument name type required description alert id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier contextid string unique identifier description string output field description entities array output field entities entityrole string output field entityrole entitytype number type of the resource id string unique identifier inst number output field inst label string output field label pa string output field pa saas number output field saas type string type of the resource policytype string type of the resource idvalue number unique identifier issystemalert boolean output field issystemalert resolutionstatusvalue number status value severityvalue number value for the parameter statusvalue number status value stories array output field stories threatscore number score value timestamp number output field timestamp title string output field title comment string output field comment example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 07 25 08 gmt", "content type" "application/json", "content length" "30", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, put, patch, delete, head, options", "content security policy" "default src 'self'; style src 'self' 'unsafe inline' s microsoft com cdn cloud ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "e35fdc21 a10c 4994 b371 98e1ac6ca49d", "set cookie" "cas sessionid=uvit7g7adf4i12u7t4gizrb2k9lpzghk; domain= us2 portal cloudappsecur " }, "reason" "ok", "json body" { " id" "603f704aaf7417985bbf3b22", "contextid" "206e2965 6533 48a6 ba9e 794364a84bf9", "description" "contoso user performed 11 suspicious activities mitre technique used account dis ", "entities" \[], "idvalue" 15795464, "issystemalert" false, "resolutionstatusvalue" 0, "severityvalue" 1, "statusvalue" 1, "stories" \[], "threatscore" 34, "timestamp" 1621941916475, "title" "honeytoken activity", "comment" "", "handledbyuser" "administrator\@contoso com" } } ] fetch entity run the get request to fetch the entity matching the specified primary key endpoint url /api/v1/entities/{{entity id}}/ method get input argument name type required description entity id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase type number type of the resource status number status value displayname string name of the resource id string unique identifier id string unique identifier usergroups array output field usergroups id string unique identifier id string unique identifier name string name of the resource description string output field description userscount number count value identifiers array unique identifier type number type of the resource status number status value displayname string name of the resource sid object unique identifier appdata object response data appid number unique identifier name string name of the resource saas number output field saas instance number output field instance isadmin boolean output field isadmin isexternal boolean output field isexternal example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 08 aug 2023 13 36 40 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, put, patch, delete, head, options", "content security policy" "default src 'self'; script src 'self' 'unsafe eval' 'unsafe inline' dev virtuale ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "e81d7a13 47bc 4eed ba30 ad11b4a44edd", "set cookie" "cas sessionid=qd2udxpe66jlcm9av5px0nq4n6culv45; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block", "content encoding" "gzip" }, "reason" "ok", "json body" { "type" 2, "status" 2, "displayname" "aaron ooi woo chung", "id" "678f80e5 e506 4f10 895d bf664699475d", " id" "64495b36cc8d3e4b3e0ac428", "usergroups" \[], "identifiers" \[], "sid" null, "appdata" {}, "isadmin" false, "isexternal" true, "email" "aaron ooi\@swimlane com", "role" "user", "organization" null, "domain" "swimlane com" } } ] fetch entity tree run the get request to fetch all entities related to the entity matching the specified primary key endpoint url /api/v1/entities/{{entity id}}/retrieve tree/ method get input argument name type required description entity id string required a dictionary with the entity id, saas, and inst details encoded as a base64 string output parameter type description status code number http status code of the response reason string response reason phrase data array response data type number type of the resource status number status value displayname string name of the resource id string unique identifier id string unique identifier usergroups array output field usergroups file name string name of the resource file string output field file identifiers array unique identifier type number type of the resource status number status value displayname string name of the resource sid object unique identifier appdata object response data appid number unique identifier name string name of the resource saas number output field saas instance number output field instance isadmin boolean output field isadmin isexternal boolean output field isexternal email string output field email role string output field role example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 06 35 49 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, head, options", "content security policy" "font src 'self' s microsoft com c s microsoft com flow\ microsoft com data cdn ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "d283a942 0444 42ff 9176 b2753044bcd9", "set cookie" "cas sessionid=t373xj4q7nratdsgmlmbzhn8p5wrlqyh; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" \[] } } ] fetch file run the get request to fetch the file matching the specified primary key endpoint url /api/v1/files/{{file id}}/ method get input argument name type required description file id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 07 27 20 gmt", "content type" "application/json", "content length" "30", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, put, patch, delete, head, options", "content security policy" "frame src 'self' us2 portal cloudappsecurity com; img src 'self' 'self' data ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "badc6ba6 dbd5 4f3d 9804 f6d6bde2b8c6", "set cookie" "cas sessionid=9bd4dl481fy2ng72k38okwod3vrv6umn; domain= us2 portal cloudappsecur " }, "reason" "ok", "json body" {} } ] generate block script run the get request to get a block script for your network appliance endpoint url /api/discovery block scripts/ method get input argument name type required description format number optional parameter for generate block script output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier appid number unique identifier domainlist array output field domainlist name string name of the resource security object output field security mfa object output field mfa adminaudittrail object output field adminaudittrail anonymous usage object output field anonymous usage cert object output field cert badcommonname object name of the resource hostnamemismatch object name of the resource insecuresignature object output field insecuresignature isblacklisted object output field isblacklisted isrevoked object output field isrevoked nochainoftrust object output field nochainoftrust notafter object output field notafter notbefore object output field notbefore selfsigned object output field selfsigned certistrusted boolean output field certistrusted dataaudittrail object response data dataclassification object response data dataencrypted object response data example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 08 aug 2023 10 08 34 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, head, options", "content security policy" "font src 'self' s microsoft com c s microsoft com flow\ microsoft com data cdn ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "322bb048 a55f 4049 ba24 d8a28fb6365c", "set cookie" "cas sessionid=4z7dilcrhsqk71yegd8hwp33jhhxv7js; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" \[] } } ] initiate file upload run the get request to initiate the upload process endpoint url /api/v1/discovery/upload url/ method get input argument name type required description filename string required name of the resource source string optional parameter for initiate file upload output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request provider string unique identifier example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 07 aug 2023 09 26 53 gmt", "content type" "application/json", "content length" "258", "connection" "keep alive", "allow" "get, options", "vary" "origin, cookie", "content security policy" "font src 'self' s microsoft com c s microsoft com flow\ microsoft com data cdn ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "70a94534 d0d1 4dc6 a83b 6448d7ed6547", "set cookie" "cas sessionid=nm5l7ut6wheyjegt11475uozpav65lwo; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "url" "https //prod03use2console1 blob core windows net/discovery logs/2023 08/79117374 ", "provider" "azure" } } ] list alerts fetch a list of alerts matching the specified filters endpoint url /api/v1/alerts/ method post input argument name type required description filters object optional parameter for list alerts sortdirection string optional parameter for list alerts sortfield string optional parameter for list alerts skip number optional parameter for list alerts limit number optional parameter for list alerts output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier contextid string unique identifier description string output field description entities array output field entities id string unique identifier label string output field label policytype string type of the resource type string type of the resource em string output field em entitytype number type of the resource inst number output field inst pa string output field pa saas number output field saas evidence array unique identifier title object output field title template string output field template mitre object output field mitre tactic string output field tactic idvalue number unique identifier intent array output field intent issystemalert boolean output field issystemalert resolutionstatusvalue number status value example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 07 32 02 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, head, options", "content security policy" "default src 'self'; script src 'self' 'unsafe eval' 'unsafe inline' dev virtuale ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "5bffc24b e14c 41a8 9923 d98887541e73", "set cookie" "cas sessionid=9xlk3spg5t2s33gxn24ifk6rs3k4hdd6; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" \[], "hasnext" false, "max" 100, "total" 13, "morethantotal" false } } ] list continuous report categories run the post request to fetch a list of categories associated with a continuous report endpoint url /api/v1/discovery/discovered apps/categories/ method post input argument name type required description filters object optional parameter for list continuous report categories id object optional unique identifier eq array optional parameter for list continuous report categories sortdirection string optional parameter for list continuous report categories sortfield string optional parameter for list continuous report categories skip number optional parameter for list continuous report categories limit number optional parameter for list continuous report categories streamid string optional unique identifier timeframe string optional parameter for list continuous report categories output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier total number output field total example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 07 aug 2023 11 29 56 gmt", "content type" "application/json", "content length" "665", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "post, options", "content security policy" "frame src 'self' us2 portal cloudappsecurity com; img src 'self' 'self' data ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "8242cc19 b920 4890 8819 af95a301ba96", "set cookie" "cas sessionid=gbtzwlju36p9mo6wk8yoyt0urqmuy24o; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "data" \[] } } ] list continuous reports run the get request to fetch a list of continuous reports endpoint url api/discovery/streams/ method get input argument name type required description data body object optional data body headers object optional request headers output parameter type description status code number http status code of the response reason string response reason phrase streams array output field streams id string unique identifier logtype number type of the resource builtinstreamtype number type of the resource displayname string name of the resource streamtype number type of the resource snapshotdata boolean response data created string output field created ismanual boolean output field ismanual canupdatemasterstream boolean output field canupdatemasterstream supportedtraffictypes array type of the resource file name string name of the resource file string output field file supportedentitytypes array type of the resource file name string name of the resource file string output field file lastmodified string output field lastmodified receivertype string type of the resource tid number unique identifier lastdatareceived string response data logfileshistorycount number count value currentservicescollectionname string name of the resource globalaggregated boolean output field globalaggregated example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 07 aug 2023 11 17 03 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "allow" "options, get", "vary" "origin, cookie", "content security policy" "default src 'self'; style src 'self' 'unsafe inline' s microsoft com cdn cloud ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "ab1cd0dd f15d 4cec b4c8 6d3c5c7f0242", "set cookie" "cas sessionid=6eu363ge76r8eax5frkb3z82sql90tbc; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block", "content encoding" "gzip" }, "reason" "ok", "json body" { "streams" \[] } } ] list entities run the post request to fetch a list of entities matching the specified filters endpoint url /api/v1/entities/ method post input argument name type required description filters object optional parameter for list entities sortdirection string optional parameter for list entities sortfield string optional parameter for list entities skip number optional parameter for list entities limit number optional parameter for list entities output parameter type description status code number http status code of the response reason string response reason phrase data array response data type number type of the resource status number status value displayname string name of the resource id string unique identifier id string unique identifier usergroups array output field usergroups id string unique identifier id string unique identifier name string name of the resource description string output field description userscount number count value identifiers array unique identifier file name string name of the resource file string output field file sid object unique identifier appdata object response data appid number unique identifier name string name of the resource saas number output field saas instance number output field instance isadmin boolean output field isadmin isexternal boolean output field isexternal example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 08 aug 2023 13 28 05 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, head, options", "content security policy" "default src 'self'; script src 'self' 'unsafe eval' 'unsafe inline' dev virtuale ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "42f21367 a2de 4d60 8eab a99bb6ae21de", "set cookie" "cas sessionid=cb0fre2ptc6afteev22eua7cmiwozxwc; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" \[], "hasnext" false, "max" 100, "total" 2, "morethantotal" false } } ] list files post request to fetch a list of files matching the specified filters endpoint url /api/v1/files/ method post input argument name type required description filters object optional parameter for list files skip number optional parameter for list files limit number optional parameter for list files output parameter type description status code number http status code of the response reason string response reason phrase data array response data file name string name of the resource file string output field file hasnext boolean output field hasnext max number output field max total number output field total morethantotal boolean output field morethantotal example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 07 04 30 gmt", "content type" "application/json", "content length" "69", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, head, options", "content security policy" "font src 'self' s microsoft com c s microsoft com flow\ microsoft com data cdn ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "344f5d14 b044 4af8 b730 e40a47a8de34", "set cookie" "cas sessionid=wqkl9bqex7i1lqycigbbuxi6o5by5cpd; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "data" \[], "hasnext" false, "max" 100, "total" 0, "morethantotal" false } } ] list ip ranges request to fetch a list of ip ranges matching the specified filters endpoint url /api/v1/subnet/ method post input argument name type required description filters object optional parameter for list ip ranges sortdirection string optional parameter for list ip ranges sortfield string optional parameter for list ip ranges skip number optional parameter for list ip ranges limit number optional parameter for list ip ranges output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier name string name of the resource subnets array output field subnets mask number output field mask address string output field address originalstring string output field originalstring location object output field location name string name of the resource latitude number output field latitude longitude number output field longitude countrycode string output field countrycode countryname string name of the resource organization string output field organization tags array output field tags id string unique identifier id string unique identifier target number output field target type number type of the resource name string name of the resource nametemplate object name of the resource template string output field template description string output field description example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 08 aug 2023 10 50 54 gmt", "content type" "application/json", "content length" "37", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, head, options", "content security policy" "default src 'self'; script src 'self' 'unsafe eval' 'unsafe inline' dev virtuale ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "0ddaf22f 9092 4271 9dd8 cef1e1596163", "set cookie" "cas sessionid=gha6et6e8q8km365rul3zhdl2xxuj46b; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "data" \[], "hasnext" false, "total" 1 } } ] manage ip address range you can use the data enrichment apis to manage ip address ranges endpoint url /api/v1/subnet/ method post input argument name type required description filters object optional parameter for manage ip address range limit number optional parameter for manage ip address range output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier name string name of the resource subnets array output field subnets mask number output field mask address string output field address originalstring string output field originalstring location object output field location organization object output field organization tags array output field tags file name string name of the resource file string output field file category number output field category lastmodified number output field lastmodified tid number unique identifier hasnext boolean output field hasnext total number output field total example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 09 aug 2023 10 25 55 gmt", "content type" "application/json", "content length" "411", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, head, options", "content security policy" "default src 'self'; style src 'self' 'unsafe inline' s microsoft com cdn cloud ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "3c6cafdf 105e 428d beab d0396d41ed51", "set cookie" "cas sessionid=v0rbb1nf48icpnda2cxloseczh2i2vr1; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "data" \[], "hasnext" false, "total" 1 } } ] mark alert as read run the post request to mark the alert matching the specified primary key as read endpoint url /api/v1/alerts/{{alert id}}/read/ method post input argument name type required description path parameter object required parameter for the mark alert as read action alert id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 400, "response headers" { "server" "nginx", "date" "mon, 07 aug 2023 09 12 15 gmt", "content type" "application/json", "content length" "140", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, put, patch, delete, head, options", "content security policy" "frame src 'self' us2 portal cloudappsecurity com; img src 'self' 'self' data ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "6e8f1ea4 0bcc 453d add6 09685da8552d", "set cookie" "cas sessionid=n094w1j0ku975py7oqx07s79803ykdob; domain= us2 portal cloudappsecur " }, "reason" "bad request", "json body" {} } ] mark alert as unread run the post request to mark the alert matching the specified primary key as unread endpoint url /api/v1/alerts/{{alert id}}/unread/ method post input argument name type required description path parameter object required parameter for the mark alert as unread action alert id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 400, "response headers" { "server" "nginx", "date" "mon, 07 aug 2023 09 18 39 gmt", "content type" "application/json", "content length" "144", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "get, post, put, patch, delete, head, options", "content security policy" "default src 'self'; style src 'self' 'unsafe inline' s microsoft com cdn cloud ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "680b40c1 2c67 4eb1 bed3 b52991935279", "set cookie" "cas sessionid=1jd68xiu867sjh53udkr7i1r36qfnioi; domain= us2 portal cloudappsecur " }, "reason" "bad request", "json body" {} } ] update ip address range run the post request to update an existing ip address range endpoint url /api/v1/subnet/{{ip range id}}/update rule/ method post input argument name type required description ip range id string required unique identifier name string required name of the resource category number optional parameter for update ip address range organization string optional parameter for update ip address range subnets array required parameter for update ip address range tags array optional parameter for update ip address range output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource subnets array output field subnets mask number output field mask address string output field address originalstring string output field originalstring location object output field location organization string output field organization tags array output field tags category number output field category lastmodified number output field lastmodified example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 08 aug 2023 13 09 35 gmt", "content type" "application/json", "content length" "364", "connection" "keep alive", "vary" "accept, origin, cookie", "allow" "post, options", "content security policy" "script src 'self' 'unsafe eval' 'unsafe inline' dev virtualearth net cdn cloudap ", "strict transport security" "max age=31536000", "x content type options" "nosniff", "cache control" "no cache, no store", "request id" "7275323d 8fb4 4bc7 9a6b e5b91fba50b2", "set cookie" "cas sessionid=vb49dy0w48vp0xabj39n922401tnym62; domain= us2 portal cloudappsecur ", "x xss protection" "1; mode=block" }, "reason" "ok", "json body" { "name" "range name update", "subnets" \[], "location" null, "organization" "microsoft", "tags" \[], "category" 5, "lastmodified" 1691500175593 9048 } } ] response headers header description example allow http response header allow get, post, head, options cache control directives for caching mechanisms no cache, no store connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 665 content security policy http response header content security policy font src 'self' s microsoft com c s microsoft com flow\ microsoft com data cdn cloudappsecurity com cloudappsecurity rs azureedge net static2 sharepointonline com portal cloudappsecurity com portal cloudappsecurity com; frame src 'self' us2 portal cloudappsecurity com; default src 'self'; img src 'self' 'self' data blob adaproddiscovery azureedge net cdn cloudappsecurity com cloudappsecurity rs azureedge net prod03use2console1 blob core windows net us2 portal cloudappsecurity com; connect src 'self' dc services visualstudio com dev virtualearth net cdn cloudappsecurity com cloudappsecurity rs azureedge net rs2euwportalreportsxgbr blob core windows net prod3use2portalreporxaly blob core windows net prod03use2console1 blob core windows net; style src 'self' 'unsafe inline' s microsoft com cdn cloudappsecurity com cloudappsecurity rs azureedge net prodportalmfcdndfl azureedge net; script src 'self' 'unsafe eval' 'unsafe inline' dev virtualearth net cdn cloudappsecurity com cloudappsecurity rs azureedge net prodportalmfcdndfl azureedge net us2 portal cloudappsecurity com content type the media type of the resource application/json date the date and time at which the message was originated wed, 09 aug 2023 07 46 02 gmt request id http response header request id ab1cd0dd f15d 4cec b4c8 6d3c5c7f0242 server information about the software used by the origin server nginx set cookie http response header set cookie cas sessionid=4z7dilcrhsqk71yegd8hwp33jhhxv7js; domain= us2 portal cloudappsecurity com; expires=tue, 08 aug 2023 11 08 34 gmt; httponly; max age=3600; path=/; secure strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked vary http response header vary accept, origin, cookie x content type options http response header x content type options nosniff x xss protection http response header x xss protection 1; mode=block notes api doc https //learn microsoft com/en us/defender cloud apps/api introduction