Links to content pack/integration details | The Microsoft Defender for Cloud content pack provides unified security management and advanced threat protection across hybrid cloud workloads. The content items in this pack include a modeling rule (Defender For Cloud Microsoft Modeling Rule) and a parsing rule (Microsoft Defender For Cloud Parsing Rule), as well as the following integrations: Microsoft Defender for Cloud Event Collector: Use this integration to collect Microsoft Defender for Cloud issues specifically for Cortex Cloud. This integration includes commands to collect issues and to reset the authentication process. Microsoft Defender for Cloud (also referred to as Azure Security Center v2): Use this integration to deliver enterprise endpoint security, including preventative protection, post-breach detection, automated investigation, and response for various device types. It includes commands to facilitate endpoint visibility and querying (for example, machine software/vulnerabilities), retrieving file statistics, running advanced hunting queries, performing remediation actions such as host isolation and file blocking/quarantine, and listing configuration permissions.
The Microsoft Defender for Cloud Apps content pack provides a multimode Cloud Access Security Broker (CASB) that offers rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all connected Cloud services. The content items in this pack include various classifiers, issue types (Microsoft CAS Alert), a layout (MicrosoftCloudAppSecurity), a modeling rule (Microsoft Defender Cloud Apps Modeling Rule), and a parsing rule (Microsoft Cloud App Security Parsing Rule, as well as the following integrations: Microsoft Defender for Cloud Apps Event Collector: Use this integration to collect the event logs for issues and activities provided by the Microsoft Defender for Cloud Apps API. This integration functions as a collector for event logs relating to issues and activities, supports configuration updates to fetch specific event types, and includes infrastructure support for Microsoft Graph Application endpoints. Microsoft Defender for Cloud Apps: Use this integration to view and resolve issues, view activities, view files, and view user accounts. It also provides infrastructure support for Microsoft Graph Application endpoints.
The Microsoft Defender for Identity content pack is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. The content item included in this pack is the Microsoft Defender for Identity modeling rule, with configurations for event collection using the Broker VM Syslog Collector. The Microsoft Exchange Online content pack integrates with Exchange Online and Office 365 mail services to enable monitoring, searching, content retrieval, deletion of emails, and management of tenant allow/block lists. The content items in this pack include several playbooks focused on searching and deleting content, automations like GetEWSFolder and CreateCertificate, and the following integrations: EWS O365: Use this integration to retrieve information on emails and activities in a target mailbox and perform operations such as deleting emails and attachments, moving email items, handling mail sending and replying including inline images, and retrieving out-of-office status information. O365 - Security And Compliance - Content Search v2: Use this integration to manage security and compliance content search across organizational assets including emails, SharePoint sites, and OneDrives, and to perform actions like previewing and deleting emails. It includes the capability to delete an email for all recipients using the o365-sc-email-security-search-and-delete-email-office-365-quick-action command. EWS Extension Online Powershell v3: Use this integration to retrieve information about mailboxes and users in your organization, and to retrieve and modify tenant allow/block lists. It includes commands that retrieve information about mailboxes and users, display client access settings, retrieve permissions, list recipient objects, and manage tenant allow/block list entries (add, remove, list, count). It also includes commands to enable or disable mail flow rules and mail forwarding, and to list message trace details.
The Microsoft Graph API content pack provides the capability to interact with Microsoft APIs that do not have dedicated integrations in Cortex Cloud, such as Mail Single-User. It includes the following integration: Microsoft Graph API: Use this integration to interact with various Microsoft APIs, such as Mail Single-User, that currently lack dedicated integrations in Cortex Cloud. It includes commands that facilitate making specific API requests (msgraph-api-request which supports headers), managing the authentication process by generating login URLs (msgraph-api-generate-login-url) to support the OAuth consent dialog, and resetting the authentication context if needed (msgraph-api-auth-reset)
The Microsoft Graph Files content pack enables authorized access for applications to files located in OneDrive, SharePoint, and MS Teams across your entire organization. It includes the following integration: O365 File Management (Onedrive/Sharepoint/Teams: Use this integration to enable your app to get authorized access to and perform management actions on files within OneDrive, SharePoint, and MS Teams across your organization. It includes commands that allow managing site permissions (listing, creating, updating, and deleting), downloading files, listing drives and drive content, and managing OAuth authentication through generating login URLs or resetting authorization. This integration requires admin consent.
The Microsoft Graph Security content pack fetches and manages issues from various Microsoft security sources using the unified Microsoft Graph Security API. It includes the Graph Security Alert classifier and issue type, multiple associated issue fields, Microsoft Graph Security modeling rules, and Microsoft Graph Security parsing rules, as well as the following integration: Microsoft Graph Security: Use this integration to fetch and manage issues from various Microsoft security products (such as Microsoft Defender products and Azure Security Center), correlate issues, update issue status and assignments, and automate security workflows. The integration includes commands that support managing issues (for example updating issue determination and classification), performing security investigation tasks like Advanced Hunting (msg-advanced-hunting) for up to 30 days of event data, managing security incidents (msg-list-security-incident, msg-update-security-incident), supporting threat assessment, and providing extensive commands for Microsoft Purview eDiscovery case management, custodians, searching, and purging data.
|