├── .gitignore ├── Functions ├── Add-MCASAdminAccess.ps1 ├── ConvertFrom-MCASTimestamp.ps1 ├── ConvertTo-MCASJsonFilterString.ps1 ├── Export-MCASBlockScript.ps1 ├── Export-MCASCredential.ps1 ├── Get-JavaExePath.ps1 ├── Get-JavaInstallationPackage.ps1 ├── Get-MCASAccount.ps1 ├── Get-MCASActivity.ps1 ├── Get-MCASActivityType.ps1 ├── Get-MCASAdminAccess.ps1 ├── Get-MCASAlert.ps1 ├── Get-MCASAppId.ps1 ├── Get-MCASAppInfo.ps1 ├── Get-MCASAppPermission.ps1 ├── Get-MCASConfiguration.ps1 ├── Get-MCASCredential.ps1 ├── Get-MCASDiscoveredApp.ps1 ├── Get-MCASDiscoveredAppTag.ps1 ├── Get-MCASDiscoveryDataSource.ps1 ├── Get-MCASDiscoverySampleLog.ps1 ├── Get-MCASFile.ps1 ├── Get-MCASGovernanceAction.ps1 ├── Get-MCASIPTag.ps1 ├── Get-MCASLogCollector.ps1 ├── Get-MCASPolicy.ps1 ├── Get-MCASPortalSettings.ps1 ├── Get-MCASReport.ps1 ├── Get-MCASReportContent.ps1 ├── Get-MCASSiemAgent.ps1 ├── Get-MCASSiemAgentJarFile.ps1 ├── Get-MCASStream.ps1 ├── Get-MCASSubnetCollection.ps1 ├── Get-MCASUserGroup.ps1 ├── Import-MCASCredential.ps1 ├── Import-MCASDynamicData.ps1 ├── Install-MCASSiemAgent.ps1 ├── Invoke-FilePickerDialog.ps1 ├── Invoke-MCASRestMethod.ps1 ├── New-MCASDiscoveryDataSource.ps1 ├── New-MCASGroupImport.ps1 ├── New-MCASSiemAgentToken.ps1 ├── New-MCASSubnetCollection.ps1 ├── Remove-MCASAdminAccess.ps1 ├── Remove-MCASDiscoveryDataSource.ps1 ├── Remove-MCASSubnetCollection.ps1 ├── Send-MCASDiscoveryLog.ps1 └── Set-MCASAlert.ps1 ├── LICENSE.txt ├── MCAS.psd1 ├── MCAS.psm1 ├── README.md ├── SECURITY.md └── docs ├── Add-MCASAdminAccess.md ├── ConvertFrom-MCASTimestamp.md ├── Dependencies.vsdx ├── Export-MCASBlockScript.md ├── Get-MCASAccount.md ├── Get-MCASActivity.md ├── Get-MCASActivityType.md ├── Get-MCASAdminAccess.md ├── Get-MCASAlert.md ├── Get-MCASAppId.md ├── Get-MCASAppInfo.md ├── Get-MCASAppPermission.md ├── Get-MCASConfiguration.md ├── Get-MCASCredential.md ├── Get-MCASDiscoveredApp.md ├── Get-MCASDiscoveryDataSource.md ├── Get-MCASDiscoverySampleLog.md ├── Get-MCASFile.md ├── Get-MCASGovernanceAction.md ├── Get-MCASIPTag.md ├── Get-MCASLogCollector.md ├── Get-MCASPolicy.md ├── Get-MCASPortalSettings.md ├── Get-MCASStream.md ├── Get-MCASSubnetCollection.md ├── Get-MCASUserGroup.md ├── New-MCASDiscoveryDataSource.md ├── New-MCASSubnetCollection.md ├── Remove-MCASAdminAccess.md ├── Remove-MCASDiscoveryDataSource.md ├── Remove-MCASSubnetCollection.md ├── Send-MCASDiscoveryLog.md ├── Set-MCASAlert.md └── Tasks.xlsx /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | docs/~$Tasks.xlsx 3 | -------------------------------------------------------------------------------- /Functions/Add-MCASAdminAccess.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Adds administrators to the MCAS portal. 4 | .DESCRIPTION 5 | Add-MCASAdminAccess grants existing user accounts the MCAS full admin or read-only admin role within MCAS. 6 | 7 | .EXAMPLE 8 | C:\>Add-MCASAdminAccess -Username 'alice@contoso.com' -PermissionType FULL_ACCESS 9 | 10 | .EXAMPLE 11 | C:\>Add-MCASAdminAccess 'bob@contoso.com' READ_ONLY 12 | WARNING: READ_ONLY acces includes the ability to manage MCAS alerts. 13 | 14 | .FUNCTIONALITY 15 | Add-MCASAdminAccess is intended to add administrators to an MCAS tenant. 16 | #> 17 | function Add-MCASAdminAccess { 18 | [CmdletBinding()] 19 | param 20 | ( 21 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 22 | [Parameter(Mandatory=$false)] 23 | [ValidateNotNullOrEmpty()] 24 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 25 | 26 | [Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Position=0)] 27 | [ValidateNotNullOrEmpty()] 28 | [string]$Username, 29 | 30 | [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)] 31 | [ValidateNotNullOrEmpty()] 32 | [permission_type]$PermissionType 33 | ) 34 | begin { 35 | # Keep track if any read-only access is added 36 | $readOnlyAdded = $false 37 | 38 | Write-Verbose "Checking current admin list." 39 | $preExistingAdmins = Get-MCASAdminAccess -Credential $Credential 40 | 41 | #{"username":"adelev@jpdemo18.onmicrosoft.com","permissionType":3,"saasIds":[10489]}: 42 | #"permissionType":4,"groups":["5bd3716a3b4601b70a804675"]}: 43 | #{"username":"adelev@jpdemo18.onmicrosoft.com","permissionType":5,"allowed_anonymization":false}: 44 | } 45 | process { 46 | if ($preExistingAdmins.username -contains $Username) { 47 | Write-Warning "$Username is already listed as an administrator of Cloud App Security." 48 | } 49 | else { 50 | $body = [ordered]@{'username'=$Username;'permissionType'=($PermissionType -as [int])} 51 | 52 | try { 53 | $response = Invoke-MCASRestMethod -Credential $Credential -Path '/cas/api/v1/manage_admin_access/' -Method Post -Body $body 54 | } 55 | catch { 56 | throw "Error calling MCAS API. The exception was: $_" 57 | } 58 | 59 | if ($PermissionType -eq 'READ_ONLY') { 60 | $readOnlyAdded = $true 61 | } 62 | } 63 | } 64 | end { 65 | if ($readOnlyAdded) { 66 | Write-Warning "READ_ONLY acces includes the ability to manage MCAS alerts." 67 | } 68 | } 69 | } -------------------------------------------------------------------------------- /Functions/ConvertFrom-MCASTimestamp.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Converts an MCAS timestamp (13-digit integer or 10-digit integer) to a native date/time value of type [datetime]. 4 | .DESCRIPTION 5 | ConvertFrom-MCASTimestamp returns a System.DateTime value representing the time (localized to the Powershell session's timezone) for a timestamp value from MCAS. 6 | 7 | .EXAMPLE 8 | PS C:\> ConvertFrom-MCASTimestamp 1520272590839 9 | Monday, March 5, 2018 12:56:30 PM 10 | 11 | .EXAMPLE 12 | PS C:\> Get-MCASActivity -ResultSetSize 5 | ForEach-Object {ConvertFrom-MCASTimestamp $_.timestamp} 13 | Monday, March 5, 2018 12:56:30 PM 14 | Monday, March 5, 2018 12:50:28 PM 15 | Monday, March 5, 2018 12:49:34 PM 16 | Monday, March 5, 2018 12:45:36 PM 17 | Monday, March 5, 2018 12:45:23 PM 18 | 19 | .FUNCTIONALITY 20 | ConvertFrom-MCASTimestamp is intended to return the Powershell datetime of a timestamp value from MCAS. 21 | #> 22 | function ConvertFrom-MCASTimestamp { 23 | [CmdletBinding()] 24 | [OutputType([datetime])] 25 | param ( 26 | [Parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)] 27 | $Timestamp 28 | ) 29 | process { 30 | Write-Verbose $Timestamp.ToString().length 31 | if ($Timestamp.ToString().length -eq 13) { 32 | (([datetime]'1/1/1970').AddSeconds($Timestamp/1000)).ToLocalTime() 33 | } 34 | elseif ($Timestamp.ToString().length -eq 10) { 35 | (([datetime]'1/1/1970').AddSeconds($Timestamp)).ToLocalTime() 36 | } 37 | else { 38 | throw 'Unexpected value provided for -Timestamp parameter. A 13-digit or 10-digit timestamp was expected.' 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /Functions/ConvertTo-MCASJsonFilterString.ps1: -------------------------------------------------------------------------------- 1 | function ConvertTo-MCASJsonFilterString { 2 | [CmdletBinding()] 3 | param ([Parameter(Mandatory=$true, Position=0)]$FilterSet) 4 | 5 | $temp = @() 6 | 7 | ForEach ($filter in $FilterSet) { 8 | $temp += ((($filter | ConvertTo-Json -Depth 4 -Compress).TrimEnd('}')).TrimStart('{')) 9 | } 10 | $rawJsonFilter = ('{'+($temp -join '},')+'}}') 11 | Write-Verbose "JSON filter string is $rawJsonFilter" 12 | 13 | $rawJsonFilter 14 | } -------------------------------------------------------------------------------- /Functions/Export-MCASBlockScript.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Exports a proxy or firewall block script for the unsanctioned apps in your Cloud App Security tenant. 4 | .DESCRIPTION 5 | Exports a block script, in the specified firewall or proxy device type format, for the unsanctioned apps. 6 | 7 | 'Export-MCASBlockScript -DeviceType ' returns the text to be used in a Websense block script. Methods available are only those available to custom objects by default. 8 | .EXAMPLE 9 | PS C:\> Export-MCASBlockScript -DeviceType WEBSENSE 10 | 11 | dest_host=lawyerstravel.com action=deny 12 | dest_host=wellsfargo.com action=deny 13 | dest_host=usbank.com action=deny 14 | dest_host=care2.com action=deny 15 | dest_host=careerbuilder.com action=deny 16 | dest_host=abcnews.go.com action=deny 17 | dest_host=accuweather.com action=deny 18 | dest_host=zoovy.com action=deny 19 | dest_host=cars.com action=deny 20 | 21 | This pulls back string to be used as a block script in Websense format. 22 | 23 | .EXAMPLE 24 | PS C:\> Export-MCASBlockScript -DeviceType BLUECOAT_PROXYSG 25 | 26 | url.domain=lawyerstravel.com deny 27 | url.domain=wellsfargo.com deny 28 | url.domain=usbank.com deny 29 | url.domain=care2.com deny 30 | url.domain=careerbuilder.com deny 31 | url.domain=abcnews.go.com deny 32 | url.domain=accuweather.com deny 33 | url.domain=zoovy.com deny 34 | url.domain=cars.com deny 35 | 36 | This pulls back string to be used as a block script in BlueCoat format. 37 | 38 | .EXAMPLE 39 | PS C:\> Export-MCASBlockScript -DeviceType WEBSENSE | Set-Content MyWebsenseBlockScript.txt -Encoding UTF8 40 | 41 | This pulls back a Websense block script in text string format and creates a new UTF-8 encoded text file out of it. 42 | .FUNCTIONALITY 43 | Export-MCASBlockScript is intended to function as an export mechanism for obtaining block scripts from Cloud App Security. 44 | 45 | #> 46 | function Export-MCASBlockScript { 47 | [CmdletBinding()] 48 | param 49 | ( 50 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 51 | [Parameter(Mandatory=$false)] 52 | [ValidateNotNullOrEmpty()] 53 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 54 | 55 | # Specifies the device type to use for the format of the block script. Possible Values: BLUECOAT_PROXYSG,CISCO_ASA,FORTINET_FORTIGATE,PALO_ALTO,JUNIPER_SRX,WEBSENSE,ZSCALER 56 | [Parameter(Mandatory=$true,ValueFromPipeline=$false,Position=0)] 57 | [ValidateSet('BLUECOAT','CISCO_ASA','FORTIGATE','PALO_ALTO','JUNIPER_SRX','WEBSENSE_V7_5','ZSCALER')] 58 | [alias("Appliance")] 59 | [device_type]$DeviceType 60 | ) 61 | 62 | try { 63 | $response = Invoke-MCASRestMethod -Credential $Credential -Path ("/api/discovery_block_scripts/?format="+($DeviceType -as [int])) -Method Get 64 | } 65 | catch { 66 | throw $_ #Exception handling is in Invoke-MCASRestMethod, so here we just want to throw it back up the call stack, with no additional logic 67 | } 68 | 69 | $response 70 | } -------------------------------------------------------------------------------- /Functions/Export-MCASCredential.ps1: -------------------------------------------------------------------------------- 1 | function Export-MCASCredential { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the app for which to retrieve the integer id value. 6 | [Parameter(Mandatory=$true, ValueFromPipeline=$false, Position=0)] 7 | [ValidateNotNullOrEmpty()] 8 | $Path, 9 | 10 | # Specifies the app for which to retrieve the integer id value. 11 | [Parameter(Mandatory=$false, ValueFromPipeline=$true)] 12 | [ValidateNotNullOrEmpty()] 13 | [System.Management.Automation.PSCredential]$MCASCredential = $CASCredential 14 | ) 15 | process { 16 | $exportCred = New-Object -TypeName psobject -Property @{ 17 | UserName = ($MCASCredential.UserName) 18 | Password = ($MCASCredential.GetNetworkCredential().Password) 19 | } 20 | 21 | Write-Verbose "Export path is $Path" 22 | 23 | try { 24 | Export-Clixml -InputObject $exportCred -Path $Path 25 | } 26 | catch { 27 | throw "The following error occurred when trying to export the credential object: $_" 28 | } 29 | } 30 | } -------------------------------------------------------------------------------- /Functions/Get-JavaExePath.ps1: -------------------------------------------------------------------------------- 1 | function Get-JavaExePath 2 | { 3 | [CmdletBinding()] 4 | param() 5 | 6 | try { 7 | Write-Verbose 'Checking installed programs list for an existing Java installation on this host.' 8 | $javaProductGuid = (Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match '^Java (?:8|9) Update \d{1,3}.*$'} | Sort-Object -Property Name -Descending | Select-Object -First 1).IdentifyingNumber 9 | 10 | if ($javaProductGuid) { 11 | Write-Verbose "Java is installed. Getting the installation location from HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$javaProductGuid" 12 | $javaInstallationPath = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$javaProductGuid" -Name 'InstallLocation').InstallLocation.TrimEnd('\') 13 | Write-Verbose "Java installation path detected is $javaInstallationPath" 14 | 15 | Write-Verbose "Checking $javaInstallationPath for \bin\java.exe" 16 | if (Test-Path "$javaInstallationPath\bin\java.exe") { 17 | Write-Verbose "Found $javaInstallationPath\bin\java.exe" 18 | "$javaInstallationPath\bin\java.exe" 19 | } 20 | else { 21 | Write-Verbose "Could not find /bin/java.exe in $javaInstallationPath" 22 | } 23 | } 24 | else { 25 | Write-Verbose "Java was not found in the installed programs list" 26 | } 27 | } 28 | catch { 29 | Write-Warning 'Something went wrong attempting to detect the Java installation or its installation path. The error was $_' 30 | } 31 | } -------------------------------------------------------------------------------- /Functions/Get-JavaInstallationPackage.ps1: -------------------------------------------------------------------------------- 1 | function Get-JavaInstallationPackage { 2 | [CmdletBinding()] 3 | param() 4 | 5 | try { 6 | Write-Verbose 'Getting download URL for the Java installation package.' 7 | $javaDownloadUrl = ((Invoke-WebRequest -Uri 'https://www.java.com/en/download/manual.jsp' -UseBasicParsing).links | Where-Object {$_.title -eq 'Download Java software for Windows (64-bit)'} | Select-Object -Last 1).href 8 | Write-Verbose "Download URL for the Java installation package is $javaDownloadUrl" 9 | 10 | if (Test-Path "$pwd\JavaSetup.tmp") { 11 | Write-Verbose "Cleaning up the existing download file at $pwd\JavaSetup.tmp before downloading" 12 | Remove-Item "$pwd\JavaSetup.tmp" -Force 13 | } 14 | 15 | Write-Verbose "Downloading the Java installation package to $pwd\JavaSetup.tmp" 16 | $javaDownloadResult = Invoke-WebRequest -Uri $javaDownloadUrl -UseBasicParsing -OutFile "$pwd\JavaSetup.tmp" 17 | 18 | Write-Verbose "Getting the Java installation package original filename" 19 | $javaSetupFileName = (Get-Item "$pwd\JavaSetup.tmp").VersionInfo.OriginalFilename 20 | Write-Verbose "The Java installation package original filename is $javaSetupFileName" 21 | 22 | if (Test-Path "$pwd\$javaSetupFileName") { 23 | Write-Verbose "Deleting the existing file $javaSetupFileName before renaming the downloaded package" 24 | Remove-Item "$pwd\$javaSetupFileName" -Force 25 | } 26 | 27 | Rename-Item -Path "$pwd\JavaSetup.tmp" -NewName "$pwd\$javaSetupFileName" -Force 28 | } 29 | catch { 30 | throw "Something went wrong getting the Java installation package. The error was $_" 31 | } 32 | 33 | "$pwd\$javaSetupFileName" 34 | } -------------------------------------------------------------------------------- /Functions/Get-MCASActivityType.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Lists the activity types that MCAS is aware of for a given application. 4 | .DESCRIPTION 5 | Get-MCASActivityType lists the activity types that MCAS consumes for the specified app. MCAS activities can be filtered by these types allowing for granular policies to watch for very specific activity. 6 | 7 | .EXAMPLE 8 | PS C:\> Get-MCASActivityType -AppId 20595 9 | 10 | category appId AppName 11 | -------- ----- ------- 12 | bind:Bind 20595 Microsoft Cloud App Security 13 | bind:Bind 20595 Microsoft Cloud App Security 14 | Consent:Grant 20595 Microsoft Cloud App Security 15 | Consent:Set 20595 Microsoft Cloud App Security 16 | ... 17 | ... 18 | 19 | 20 | .FUNCTIONALITY 21 | Get-MCASActivityType is intended to display the activity types that MCAS is aware of and can filter on. Activities that are unknown to MCAS will fall under the 'Unspecified' activity type. 22 | #> 23 | function Get-MCASActivityType { 24 | [CmdletBinding()] 25 | param 26 | ( 27 | # Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 28 | [Parameter(Mandatory=$false)] 29 | [ValidateNotNullOrEmpty()] 30 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 31 | 32 | # Limits the results to items related to the specified service IDs, such as 11161,11770 (for Office 365 and G Suite, respectively). 33 | [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)] 34 | [ValidateNotNullOrEmpty()] 35 | [ValidatePattern('^\d{5}$')] 36 | [Alias("Service","Services")] 37 | [int]$AppId 38 | ) 39 | process { 40 | 41 | # Get the matching alerts and handle errors 42 | try { 43 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/autocomplete/activity-types/?search=&service=eq(i%3A$AppId%2C)" -Method Get 44 | $response = $response.records.items | Select-Object category, appid, @{N='AppName';E={$_.Service_Name}} |Where-Object appId -eq $AppId | Sort-Object -Property category 45 | $response 46 | } 47 | catch { 48 | throw "Error calling MCAS API. The exception was: $_" 49 | } 50 | } 51 | } -------------------------------------------------------------------------------- /Functions/Get-MCASAdminAccess.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Lists the administrators that have been granted access to the MCAS portal via an MCAS role. (Does not include admins with Azure AD admin roles, like Global Admin.) 4 | .DESCRIPTION 5 | Get-MCASAdminAccess list existing user accounts with MCAS admin rights and the permission type they have within MCAS. 6 | 7 | .EXAMPLE 8 | PS C:\> Get-MCASAdminAccess 9 | 10 | .EXAMPLE 11 | PS C:\> Get-MCASAdminAccess 'bob@contoso.com' READ_ONLY 12 | username permission_type 13 | -------- --------------- 14 | alice@contoso.com FULL_ACCESS 15 | bob@contoso.com READ_ONLY 16 | 17 | .FUNCTIONALITY 18 | Get-MCASAdminAccess is intended to list the administrators assigned in an MCAS tenant. 19 | #> 20 | function Get-MCASAdminAccess { 21 | [CmdletBinding()] 22 | Param 23 | ( 24 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 25 | [Parameter(Mandatory=$false)] 26 | [ValidateNotNullOrEmpty()] 27 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 28 | ) 29 | try { 30 | $response = Invoke-MCASRestMethod -Credential $Credential -Path '/cas/api/v1/manage_admin_access/' -Method Get 31 | } 32 | catch { 33 | throw "Error calling MCAS API. The exception was: $_" 34 | } 35 | 36 | $response = $response.data 37 | 38 | $response 39 | } -------------------------------------------------------------------------------- /Functions/Get-MCASAppId.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Returns an application's id (integer) given its name. 4 | .DESCRIPTION 5 | Get-MCASAppId gets the unique identifier integer value that represents an app in MCAS. 6 | 7 | .EXAMPLE 8 | PS C:\> Get-MCASAppId -AppName Microsoft_Cloud_App_Security 9 | 20595 10 | 11 | .FUNCTIONALITY 12 | Get-MCASAppId is intended to return the id of an app when the app name is provided as input. 13 | #> 14 | function Get-MCASAppId { 15 | [CmdletBinding()] 16 | param 17 | ( 18 | # Specifies the app for which to retrieve the integer id value. 19 | [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)] 20 | [ValidateNotNullOrEmpty()] 21 | [mcas_app]$AppName 22 | ) 23 | process 24 | { 25 | $AppName -as [int] 26 | } 27 | } -------------------------------------------------------------------------------- /Functions/Get-MCASAppInfo.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Gets all General, Security, and Compliance info for a provided app ID. 4 | 5 | .DESCRIPTION 6 | By passing in an App Id, the user can retrive information about those apps straight from the SaaS DB. This information is returned in an object format that can be formatted for the user's needs. 7 | 8 | .EXAMPLE 9 | PS C:\> Get-MCASAppInfo -AppId @(11114,11161) | select name, category 10 | 11 | name category 12 | ---- -------- 13 | Salesforce SAASDB_CATEGORY_CRM 14 | 15 | .EXAMPLE 16 | PS C:\> Get-MCASAppInfo -AppId @(18394) | select name, @{N='Compliance';E={"{0:N0}" -f $_.revised_score.compliance}}, @{N='Security';E={"{0:N0}" -f $_.revised_score.security}}, @{N='Provider';E={"{0:N0}" -f $_.revised_score.provider}}, @{N='Total';E={"{0:N0}" -f $_.revised_score.total}} | ft 17 | 18 | name Compliance Security Provider Total 19 | ---- ---------- -------- -------- ----- 20 | Blue Coat 4 8 6 6 21 | 22 | This example creates a table with just the app name and high level scores. 23 | 24 | .FUNCTIONALITY 25 | Get-MCASAppInfo is designed to query the saasdb one service at a time, not in bulk fashion. 26 | #> 27 | function Get-MCASAppInfo { 28 | [CmdletBinding()] 29 | param 30 | ( 31 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 32 | [Parameter(Mandatory = $false)] 33 | [ValidateNotNullOrEmpty()] 34 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 35 | 36 | # Limits the results to items related to the specified service IDs, such as 11161,11770 (for Office 365 and Google Apps, respectively). 37 | [Parameter(ParameterSetName = 'List', Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] 38 | [ValidateNotNullOrEmpty()] 39 | [ValidatePattern('^\d{5}$')] 40 | [Alias("Service", "Services")] 41 | [array]$AppId 42 | ) 43 | begin { 44 | $collection = @() 45 | } 46 | process { 47 | } 48 | end { 49 | # Simple filters 50 | if ($AppId.Count -gt 0) { 51 | 52 | $AppId | ForEach-Object { 53 | $curAppId = $_ 54 | Write-Warning "$curAppId" 55 | # Get the matching alerts and handle errors 56 | try { 57 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/saasdb/$curAppId/" -Method Get 58 | } 59 | catch { 60 | throw "Error calling MCAS API. The exception was: $_" 61 | } 62 | 63 | $collection += $response 64 | } 65 | } 66 | $collection 67 | } 68 | } -------------------------------------------------------------------------------- /Functions/Get-MCASAppPermission.ps1: -------------------------------------------------------------------------------- 1 | function Get-MCASAppPermission { 2 | [CmdletBinding()] 3 | Param 4 | ( 5 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 6 | [Parameter(Mandatory=$false)] 7 | [ValidateNotNullOrEmpty()] 8 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 9 | 10 | # Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 11 | [Parameter(Mandatory=$false)] 12 | [ValidateRange(1,100)] 13 | [int]$ResultSetSize = 100, 14 | 15 | # Specifies the number of records, from the beginning of the result set, to skip. 16 | [Parameter(Mandatory=$false)] 17 | [ValidateScript({$_ -gt -1})] 18 | [int]$Skip = 0 19 | ) 20 | $body = @{'skip'=$Skip;'limit'=$ResultSetSize} # Request body 21 | 22 | try { 23 | $response = Invoke-MCASRestMethod -Credential $Credential -Path '/cas/api/v1/app_permissions/' -Method Post -Body $body 24 | } 25 | catch { 26 | throw "Error calling MCAS API. The exception was: $_" 27 | } 28 | 29 | $response = $response.data 30 | 31 | $response 32 | } -------------------------------------------------------------------------------- /Functions/Get-MCASConfiguration.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Retrieves MCAS configuration settings. 4 | .DESCRIPTION 5 | Get-MCASConfiguration lists the settings, of the specified type, of the MCAS tenant. 6 | 7 | .EXAMPLE 8 | PS C:\> Get-MCASConfiguration 9 | 10 | environmentName : Contoso 11 | omsWorkspaces : 12 | quarantineSite : 13 | ssoNewSPEntityId : https://contoso.portal.cloudappsecurity.com/saml/consumer 14 | ssoSPEntityId : https://contoso.portal.cloudappsecurity.com/saml/consumer 15 | emailMaskPolicyOptions : @{FULL_CONTENT=CONSOLE_GENERAL_SETTINGS_EMAIL_MASK_POLICIES_NAME_FULL_CONTENT; 16 | MASKED_SUBJECT=CONSOLE_GENERAL_SETTINGS_EMAIL_MASK_POLICIES_NAME_MASKED_SUBJECT; 17 | ONLY_ID=CONSOLE_GENERAL_SETTINGS_EMAIL_MASK_POLICIES_NAME_ONLY_ID} 18 | ssoEntityId : 19 | ssoCertificate : 20 | ssoHasMetadata : True 21 | ssoEnabled : False 22 | allowAzIP : True 23 | ssoSignInPageUrl : 24 | canChangeAllowAzIP : True 25 | quarantineUserNotification : This file was quarantined because it might conflict with your organization's security and 26 | compliance policies. Contact your IT administrator for more information. 27 | ssoSignOutPageUrl : 28 | languageData : @{tenantLanguage=default; availableLanguages=System.Object[]} 29 | discoveryMasterTimeZone : Etc/GMT 30 | ssoOldSPEntityId : https://us.portal.cloudappsecurity.com/saml/consumer?tenant_id=26034820 31 | ssoByDomain : True 32 | ignoreExternalAzIP : False 33 | ssoLockdown : False 34 | ssoSPLogoutId : https://contoso.portal.cloudappsecurity.com/saml/logout 35 | ssoSignAssertion : False 36 | showAllowAzIP : True 37 | emailMaskPolicy : MASKED_SUBJECT 38 | orgDisplayName : Contoso 39 | domains : {contoso.onmicrosoft.com} 40 | showSuffixDisclaimer : True 41 | logoFilePath : 42 | 43 | .EXAMPLE 44 | PS C:\> Get-MCASConfiguration -Settings Mail 45 | 46 | fromDisplayName replyTo from htmlTemplate 47 | --------------- ------- ---- ------------ 48 | ContosoSecurity security@contoso.com 49 | 50 | .FUNCTIONALITY 51 | Get-MCASConfiguration is intended to return the configuration settings of an MCAS tenant. 52 | #> 53 | function Get-MCASConfiguration { 54 | [CmdletBinding()] 55 | param ( 56 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 57 | [Parameter(Mandatory=$false)] 58 | [ValidateNotNullOrEmpty()] 59 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 60 | 61 | # Specifies which setting types to list. Possible Values: 'General'(default),'Mail','ScoreMetrics','SnapshotReports','ContinuousReports','AppTags','UserEnrichment','Anonymization','InfoProtection','ManagedDevices' 62 | [Parameter(Mandatory=$false,Position=0)] 63 | [ValidateSet('General','Mail','ScoreMetrics','SnapshotReports','ContinuousReports','AppTags','UserEnrichment','Anonymization','InfoProtection','ManagedDevices')] 64 | [string]$Settings = 'General' 65 | ) 66 | 67 | $returnResponseDataProperty = $false 68 | 69 | switch ($Settings) { 70 | 'General' {$path = '/cas/api/v1/settings/'} 71 | 'Mail' {$path = '/cas/api/v1/mail_settings/get/'; $responsePropertyNeeded = 'tenantEmail'} 72 | 'ScoreMetrics' {$path = '/cas/api/v1/discovery/weights/'; $responsePropertyNeeded = 'fields'} # Need to map ids to risk factors 73 | 'SnapshotReports' {$path = '/cas/api/v1/discovery/snapshot_reports/'; $responsePropertyNeeded = 'data'} 74 | 'ContinuousReports' {$path = '/cas/api/v1/discovery/continuous_reports/'; $responsePropertyNeeded = 'data'} 75 | 'AppTags' {$path = '/cas/api/v1/discovery/app_tags/'; $responsePropertyNeeded = 'data'} 76 | 'UserEnrichment' {$path = '/cas/api/v1/tenant_config/resolveDiscoveryUserWithAAD/'} 77 | 'Anonymization' {$path = '/cas/api/v1/discovery/get_encryption_settings/'; $responsePropertyNeeded = 'data'} 78 | 'InfoProtection' {$path = '/cas/api/v1/settings/'} 79 | 'ManagedDevices' {$path = '/cas/api/v1/managed_devices/get_data'; $responsePropertyNeeded = 'data'} 80 | } 81 | 82 | try { 83 | $response = Invoke-MCASRestMethod -Credential $Credential -Path $path -Method Get 84 | } 85 | catch { 86 | throw "Error calling MCAS API. The exception was: $_" 87 | } 88 | 89 | if ($responsePropertyNeeded) { 90 | $response.$responsePropertyNeeded 91 | } 92 | else { 93 | $response 94 | } 95 | } -------------------------------------------------------------------------------- /Functions/Get-MCASCredential.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Gets a credential to be used by other Cloud App Security module cmdlets. 4 | .DESCRIPTION 5 | Get-MCASCredential imports a set of credentials into your session (or, optionally, a variable) to be used by other Cloud App Security module cmdlets. 6 | 7 | When using Get-MCASCredential you will need to provide your Cloud App Security tenant URL as well as an OAuth Token that must be created manually in the console. 8 | 9 | Get-MCASCredential takes the tenant URL and OAuth token and stores them in a special global session variable called $CASCredential and converts the OAuth token to a 64-bit secure string while in memory. 10 | 11 | All CAS Module cmdlets reference that special global variable to pass requests to your Cloud App Security tenant. 12 | 13 | See the examples section for ways to automate setting your CAS credentials for the session. 14 | 15 | .EXAMPLE 16 | PS C:\> Get-MCASCredential 17 | 18 | This prompts the user to enter both their tenant URL as well as their OAuth token. 19 | 20 | Username = Tenant URL without https:// (Example: contoso.portal.cloudappsecurity.com) 21 | Password = Tenant OAuth Token (Example: 432c1750f80d66a1cf2849afb6b10a7fcdf6738f5f554e32c9915fb006bd799a) 22 | 23 | PS C:\> $CASCredential 24 | 25 | To verify your credentials are set in the current session, run the above command. 26 | 27 | UserName Password 28 | -------- -------- 29 | contoso.portal.cloudappsecurity.com System.Security.SecureString 30 | 31 | .EXAMPLE 32 | PS C:\> Get-MCASCredential -PassThru | Export-CliXml C:\Users\Alice\MyCASCred.credential -Force 33 | 34 | By specifying the -PassThru switch parameter, this will put the $CASCredential into the pipeline which can be exported to a .credential file that will store the tenant URL and encrypted version of the token in a file. 35 | 36 | We can use this newly created .credential file to automate setting our CAS credentials in the session by adding an import command to our profile. 37 | 38 | PS C:\> notepad $profile 39 | 40 | The above command will open our PowerShell profile, which is a set of commands that will run when we start a new session. By default it is empty. 41 | 42 | $CASCredential = Import-Clixml "C:\Users\Alice\MyCASCred.credential" 43 | 44 | By adding the above line to our profile and save, the next time we open a new PowerShell session, the credential file will automatically be imported into the $CASCredential which allows us to use other CAS cmdlets without running Get-MCASCredential at the start of the session. 45 | 46 | .FUNCTIONALITY 47 | Get-MCASCredential is intended to import the CAS tenant URL and OAuth Token into a global session variable to allow other CAS cmdlets to authenticate when passing requests. 48 | #> 49 | function Get-MCASCredential { 50 | [CmdletBinding()] 51 | [OutputType([System.Management.Automation.PSCredential])] 52 | param 53 | ( 54 | # Specifies the portal URL of your CAS tenant, for example 'contoso.portal.cloudappsecurity.com'. 55 | [Parameter(Mandatory=$false)] 56 | [ValidateNotNullOrEmpty()] 57 | [string]$TenantUri, 58 | 59 | # Specifies that the credential should be returned into the pipeline for further processing. 60 | [Parameter(Mandatory=$false)] 61 | [switch]$PassThru 62 | ) 63 | process 64 | { 65 | # If tenant URI is specified, prompt for OAuth token and get it all into a global variable 66 | if ($TenantUri) { 67 | [System.Management.Automation.PSCredential]$Global:CASCredential = Get-Credential -UserName $TenantUri -Message "Enter the OAuth token for $TenantUri" 68 | } 69 | 70 | # Else, prompt for both the tenant and OAuth token and get it all into a global variable 71 | else { 72 | [System.Management.Automation.PSCredential]$Global:CASCredential = Get-Credential -Message "Enter the MCAS portal URL and OAuth token" 73 | } 74 | 75 | # Validate the tenant URI provided 76 | if (!($CASCredential.GetNetworkCredential().username -match '.portal\.cloudappsecurity\.(com|us|eu|gov|uk|edu|co\.uk)$')) { 77 | throw "Invalid tenant uri specified as the username of the credential. Format should be .[].portal.cloudappsecurity.com. For example, contoso.us.portal.cloudappsecurity.com or tailspintoys.eu.portal.cloudappsecurity.com." 78 | } 79 | 80 | # Validate the token string format (does not validate the token is valid for authN/authZ) 81 | if (!($CASCredential.GetNetworkCredential().Password -match $MCAS_TOKEN_VALIDATION_PATTERN)) { 82 | throw "Invalid oauth token specified as the password of the credential. It should be 64 hexadecimal characters." 83 | } 84 | 85 | # If -PassThru is specified, write the credential object to the pipeline (the global variable will also be exported to the calling session with Export-ModuleMember) 86 | if ($PassThru) { 87 | $CASCredential 88 | } 89 | } 90 | } -------------------------------------------------------------------------------- /Functions/Get-MCASDiscoveredAppTag.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Gets a list of tags based on application ID. 4 | .DESCRIPTION 5 | This function retrives a count of tags applied to a discovered app. 6 | .EXAMPLE 7 | PS C:\> Get-MCASDiscoveredAppTag -appId $appId 8 | 9 | id count Identity 10 | -- ----- -------- 11 | Sanctioned 0 12 | Unsanctioned 1 13 | None 0 14 | 15 | Retrieves a count of the application tags applied the specified discovered app. 16 | 17 | .EXAMPLE 18 | PS C:\> Get-MCASDiscoveredApp -StreamId $streamid -Category SECURITY | select name,@{N='Total (MB)';E={"{0:N2}" -f ($_.trafficTotalBytes/1MB)}} 19 | 20 | id count Identity 21 | -- ----- -------- 22 | Sanctioned 2 23 | Unsanctioned 1 24 | None 0 25 | 26 | In this example, our $appId variable contains multiple comma seperated ID's. 27 | 28 | #> 29 | function Get-MCASDiscoveredAppTag { 30 | [CmdletBinding()] 31 | param ( 32 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 33 | [Parameter(Mandatory=$false)] 34 | [ValidateNotNullOrEmpty()] 35 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 36 | 37 | # Limits the results by app ID, for example '11114'. The app ID can be found in the URL bar of the console when looking at a Discovered App. 38 | [Parameter(ParameterSetName='List', Mandatory=$false, Position=0)] 39 | [ValidatePattern("[0-9][0-9][0-9][0-9][0-9]")] 40 | [ValidateNotNullOrEmpty()] 41 | [int[]]$appId 42 | ) 43 | 44 | # Construct a default body 45 | $body = @{skip = 0} 46 | 47 | # Construct a filter set from parameters 48 | $filterSet = @() 49 | 50 | if ($appId){ 51 | $filterSet += @{'appId' = @{} 52 | } 53 | $filterName = "appId" 54 | } 55 | 56 | if ($appId) { 57 | $filterSet.($filterName).add('eq', $appId ) 58 | } 59 | 60 | # Request 61 | try { 62 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/discovery/discovered_apps/tags/" -Method Post -filterSet $filterSet -Body $body 63 | } 64 | catch { 65 | throw "Error calling MCAS API. The exception was: $_" 66 | } 67 | 68 | $response = $response.data 69 | 70 | try { 71 | Write-Verbose "Adding alias property to results, if appropriate" 72 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value 'appId' -PassThru 73 | } 74 | catch {} 75 | 76 | $response 77 | } 78 | 79 | -------------------------------------------------------------------------------- /Functions/Get-MCASDiscoveryDataSource.ps1: -------------------------------------------------------------------------------- 1 | function Get-MCASDiscoveryDataSource { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 6 | [Parameter(Mandatory=$false)] 7 | [ValidateNotNullOrEmpty()] 8 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 9 | ) 10 | 11 | try { 12 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/discovery/data_sources/?skip=0&limit=100&sortField=created&sortDirection=desc" -Method Get 13 | } 14 | catch { 15 | throw "Error calling MCAS API. The exception was: $_" 16 | } 17 | 18 | $response = $response.data 19 | 20 | try { 21 | Write-Verbose "Adding alias property to results, if appropriate" 22 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 23 | } 24 | catch {} 25 | 26 | $response 27 | } -------------------------------------------------------------------------------- /Functions/Get-MCASDiscoverySampleLog.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Retrieves one or more sample discovery logs in a specified . 4 | .DESCRIPTION 5 | Get-MCASDiscoverySampleLog gets the sample log files that are available for the specified device type. 6 | 7 | .EXAMPLE 8 | PS C:\> Get-MCASDiscoverySampleLog 9 | 10 | C:\>Get-MCASDiscoverySampleLog -DeviceType CHECKPOINT 11 | 12 | C:\Users\alice\check-point_demo_log\check-point-2_demo_log.log 13 | C:\Users\alice\check-point_demo_log\check-point_demo_log.log 14 | 15 | .FUNCTIONALITY 16 | Get-MCASDiscoverySampleLog is intended to download the sample log files that are available for the specified device type. It downloads these as compressed zip files, 17 | then extracts the text log files from the zip files to a newly created subdirectory of the current. It returns the full path to each sample log it extracts, unless 18 | the -Quiet switch is specified, in which case it returns nothing. 19 | 20 | #> 21 | function Get-MCASDiscoverySampleLog { 22 | [CmdletBinding()] 23 | param 24 | ( 25 | # Specifies which device type for which a sample log file should be downloaded 26 | [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)] 27 | [ValidateNotNullOrEmpty()] 28 | [device_type]$DeviceType, 29 | 30 | # Specifies to not output the file names 31 | [switch]$Quiet 32 | ) 33 | begin { 34 | Write-Verbose "Attempting to load assembly [system.io.compression.filesystem]" 35 | Add-Type -assembly "system.io.compression.filesystem" 36 | } 37 | process { 38 | 39 | # Select the sample log file to download based on the specified device type 40 | Write-Verbose "Device type specified was $DeviceType" 41 | switch ($DeviceType) { 42 | 'BARRACUDA' {$fileName = 'barracuda-web-app-firewall-w3c_demo_log.log'} 43 | 'BARRACUDA_NEXT_GEN_FW' {$fileName = 'barracuda-f-series-firewall_demo_log.log'} 44 | 'BARRACUDA_NEXT_GEN_FW_WEBLOG' {$fileName = 'barracuda-f-series-firewall-web-log-streaming_demo_log.log'} 45 | 'BLUECOAT' {$fileName = 'blue-coat-proxysg-access-log-w3c_demo_log.log'} 46 | 'CHECKPOINT' {$fileName = 'check-point_demo_log.log'} 47 | 'CHECKPOINT_SMART_VIEW_TRACKER' {$fileName = 'check-point-smartview-tracker_demo_log.log'} 48 | 'CHECKPOINT_XML' {$fileName = 'check-point-xml_demo_log.log'} 49 | 'CISCO_ASA' {$fileName = 'cisco-asa-firewall_demo_log.log'} 50 | 'CISCO_ASA_FIREPOWER' {$fileName = 'cisco-asa-firepower_demo_log.log'} 51 | 'CISCO_FWSM' {$fileName = 'cisco-fwsm_demo_log.log'} 52 | 'CISCO_IRONPORT_PROXY' {$fileName = 'cisco-ironport-wsa_demo_log.log'} 53 | 'CISCO_SCAN_SAFE' {$fileName = 'cisco-scansafe_demo_log.log'} 54 | 'CLAVISTER' {$fileName = 'clavister-ngfw-syslog_demo_log.log'} 55 | 'FORCEPOINT' {$fileName = 'forcepoint-web-security-cloud_demo_log.log'} # NEW 56 | 'FORTIGATE' {$fileName = 'fortinet-fortigate_demo_log.log'} 57 | 'GENERIC_CEF' {$fileName = 'generic-cef-log_demo_log.log'} 58 | 'GENERIC_LEEF' {$fileName = 'generic-leef-log_demo_log.log'} 59 | 'GENERIC_W3C' {$fileName = 'generic-w3c-log_demo_log.log'} 60 | 'IBOSS' {$fileName = 'iboss-secure-cloud-gateway_demo_log.log'} # NEW 61 | 'I_FILTER' {$fileName = 'digital-arts-i-filter_demo_log.log'} 62 | 'JUNIPER_SRX' {$fileName = 'juniper-srx_demo_log.log'} 63 | 'JUNIPER_SRX_SD' {$fileName = 'juniper-srx-sd_demo_log.log'} 64 | 'JUNIPER_SRX_WELF' {$fileName = 'juniper-srx-welf_demo_log.log'} 65 | 'JUNIPER_SSG' {$fileName = 'juniper-ssg_demo_log.log'} 66 | 'MACHINE_ZONE_MERAKI' {$fileName = 'meraki-urls-log_demo_log.log'} 67 | 'MCAFEE_SWG' {$fileName = 'mcafee-web-gateway_demo_log.log'} 68 | 'MICROSOFT_ISA_W3C' {$fileName = 'microsoft-forefront-threat-management-gateway-w3c_demo_log.log'} 69 | 'PALO_ALTO' {$fileName = 'pa-series-firewall_demo_log.log'} 70 | #'PALO_ALTO_SYSLOG' {$fileName = ''} # No sample available 71 | 'SONICWALL_SYSLOG' {$fileName = 'sonicwall_demo_log.log'} 72 | 'SOPHOS_CYBEROAM' {$fileName = 'sophos-cyberoam-web-filter-and-firewall-log_demo_log.log'} 73 | 'SOPHOS_SG' {$fileName = 'sophos-sg_demo_log.log'} 74 | 'SOPHOS_XG' {$fileName = 'sophos-xg_demo_log.log'} # NEW 75 | 'SQUID' {$fileName = 'squid-common_demo_log.log'} 76 | 'SQUID_NATIVE' {$fileName = 'squid-native_demo_log.log'} 77 | 'WEBSENSE_SIEM_CEF' {$fileName = 'web-security-solutions-internet-activity-log-cef_demo_log.log'} 78 | 'WEBSENSE_V7_5' {$fileName = 'web-security-solutions-investigative-detail-report-csv_demo_log.log'} 79 | 'ZSCALER' {$fileName = 'zscaler-default-csv_demo_log.log'} 80 | 'ZSCALER_QRADAR' {$fileName = 'zscaler-qradar-leef_demo_log.log'} 81 | 'ZSCALER_CEF' {$fileName = 'zscaler-cef_demo_log.log'} 82 | } 83 | 84 | $zipFile = "$fileName.zip" 85 | Write-Verbose "Zip file to download will is $zipFile" 86 | 87 | $targetFolder = '{0}\{1}' -f $PWD,($fileName.Substring(0,($fileName.length-4))) 88 | Write-Verbose "Target folder for extracted log files is $targetFolder" 89 | 90 | # Download the sample log zip file 91 | try { 92 | Write-Verbose "Attempting to download $zipFile" 93 | Invoke-WebRequest -Method Get -Uri "https://adaproddiscovery.blob.core.windows.net/logs/$zipFile" -OutFile $zipFile -UseBasicParsing 94 | } 95 | catch { 96 | throw "Could not retrieve $zipFile. Exception was $_" 97 | } 98 | 99 | # Cleanup the target folder, if it already exists 100 | if (Test-Path $targetFolder) { 101 | Write-Verbose "The target folder $targetFolder already exists, so it will now be deleted" 102 | try { 103 | Write-Verbose "Attempting to delete the target folder $targetFolder" 104 | Remove-Item $targetFolder -Recurse -Force 105 | } 106 | catch { 107 | throw "Could not delete $targetFolder. Exception was $_" 108 | } 109 | } 110 | 111 | # Extract the files from the zip file (some contain more than one log in them) 112 | try { 113 | Write-Verbose "Attempting to extract contents of $zipFile to $targetFolder" 114 | [io.compression.zipfile]::ExtractToDirectory("$PWD\$zipFile",$targetFolder) 115 | } 116 | catch { 117 | throw "Could not extract contents of $zipFile : $_" 118 | } 119 | 120 | # Clean up the zip files, since we have extracted the contents 121 | try { 122 | Write-Verbose "Attempting to delete $zipFile" 123 | Remove-Item $zipFile -Force 124 | } 125 | catch { 126 | Write-Warning "Could not delete $zipFile : $_" 127 | } 128 | 129 | # Output to the caller the full path of each sample log file, unless output was suppressed 130 | if (!$Quiet) { 131 | (Get-ChildItem $targetFolder).FullName 132 | } 133 | } 134 | end {} 135 | } -------------------------------------------------------------------------------- /Functions/Get-MCASIPTag.ps1: -------------------------------------------------------------------------------- 1 | function Get-MCASIPTag{ 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 6 | [Parameter(Mandatory=$false)] 7 | [ValidateNotNullOrEmpty()] 8 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 9 | 10 | # Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 11 | [Parameter(Mandatory=$false)] 12 | [ValidateRange(1,100)] 13 | [int]$ResultSetSize = 100, 14 | 15 | # Specifies the number of records, from the beginning of the result set, to skip. 16 | [Parameter(Mandatory=$false)] 17 | [ValidateScript({$_ -ge 0})] 18 | [int]$Skip = 0 19 | ) 20 | process { 21 | 22 | # Get the matching alerts and handle errors 23 | try { 24 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/tags/?enabledOnly=true&sort=name&sortDirectory=asc&target=ip" -Method Get # IP tag 25 | } 26 | catch { 27 | throw "Error calling MCAS API. The exception was: $_" 28 | } 29 | 30 | Write-Verbose "Getting just the response property named 'data'" 31 | $response = $response.data 32 | 33 | try { 34 | Write-Verbose "Adding alias property to results, if appropriate" 35 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 36 | } 37 | catch {} 38 | 39 | $response 40 | } 41 | } -------------------------------------------------------------------------------- /Functions/Get-MCASLogCollector.ps1: -------------------------------------------------------------------------------- 1 | function Get-MCASLogCollector { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 6 | [Parameter(Mandatory=$false)] 7 | [ValidateNotNullOrEmpty()] 8 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 9 | ) 10 | 11 | try { 12 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/discovery/log_collectors/" -Method Get 13 | } 14 | catch { 15 | throw "Error calling MCAS API. The exception was: $_" 16 | } 17 | 18 | $response = $response.data 19 | 20 | try { 21 | Write-Verbose "Adding alias property to results, if appropriate" 22 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 23 | } 24 | catch {} 25 | 26 | $response 27 | } -------------------------------------------------------------------------------- /Functions/Get-MCASPolicy.ps1: -------------------------------------------------------------------------------- 1 | function Get-MCASPolicy { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Fetches a policy by its unique identifier. 6 | [Parameter(Mandatory=$false, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Position=0)] 7 | [ValidateNotNullOrEmpty()] 8 | [ValidatePattern({^[A-Fa-f0-9]{24}$})] 9 | [Alias("_id")] 10 | [string]$Identity, 11 | 12 | # Required when fetching a policy by ID 13 | [Parameter(Mandatory=$false)] 14 | [ValidateNotNullOrEmpty()] 15 | [ValidateSet("INLINE", "AUDIT", "ANOMALY_DETECTION", "NEW_SERVICE", "ANOMALY_DISCOVERY", "FILE", "MALWARE", "SESSION", "ACCESS", "APP_PERMISSION", "APP_PERMISSION_ANOMALY")] 16 | [string]$PolicyType, 17 | 18 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 19 | [Parameter(Mandatory=$false)] 20 | [ValidateNotNullOrEmpty()] 21 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 22 | ) 23 | begin { 24 | $body = @{'skip' = 0; 'limit' = 100 } # Base request body 25 | #region ----------------------------FILTERING---------------------------- 26 | $filterSet = @() # Filter set array 27 | 28 | # filters 29 | 30 | # ActionTypeName / ActionTypeNameNot 31 | if ($PolicyType){ 32 | $filterSet += @{'type' = @{} 33 | } 34 | $FilterName = "type" 35 | } 36 | # PolicyType 37 | if ($PolicyType) { $filterSet.($FilterName).add('eq', $PolicyType ) } 38 | 39 | 40 | } 41 | process 42 | { 43 | # Fetch mode should happen once for each item from the pipeline, so it goes in the 'Process' block 44 | if ($Identity) 45 | { 46 | try { 47 | # Fetch the item by its id 48 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/policies/$PolicyType/$Identity/" -Method Get 49 | } 50 | catch { 51 | throw $_ #Exception handling is in Invoke-MCASRestMethod, so here we just want to throw it back up the call stack, with no additional logic 52 | } 53 | 54 | try { 55 | Write-Verbose "Adding alias property to results, if appropriate" 56 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 57 | } 58 | catch {} 59 | 60 | $response 61 | } 62 | } 63 | end 64 | { 65 | If (!$Identity) # Only run remainder of this end block if listing all policies 66 | { 67 | # List mode logic only needs to happen once, so it goes in the 'End' block for efficiency 68 | # Get the matching items and handle errors 69 | try { 70 | 71 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/policies/" -Body $body -Method Post -FilterSet $filterSet -Raw 72 | } 73 | catch { 74 | throw $_ #Exception handling is in Invoke-MCASRestMethod, so here we just want to throw it back up the call stack, with no additional logic 75 | } 76 | 77 | $response = ($response.Content | ConvertFrom-Json).data 78 | 79 | try { 80 | if($null -ne $response){ 81 | Write-Verbose "Adding alias property to results, if appropriate" 82 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 83 | } 84 | } 85 | catch {} 86 | 87 | $response 88 | } 89 | } 90 | } -------------------------------------------------------------------------------- /Functions/Get-MCASReport.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Get-MCASReport retrieves a list of built-in reports from the Cloud App Security tenant. 4 | .DESCRIPTION 5 | Retrieves a reports list from the built-in reports of an MCAS tenant. 6 | .EXAMPLE 7 | PS C:\> Get-MCASReport | select FriendlyName,report_category 8 | 9 | FriendlyName report_category 10 | ------------ --------------- 11 | Privileged Users User Management 12 | Browser Use Security 13 | Outbound Sharing by Domain Data Management 14 | Data Sharing Overview Data Management 15 | Salesforce Special Privileged Accounts User Management 16 | Owners of Shared Files Data Management 17 | Inactive Accounts 18 | 19 | This example retrives the reports list, showing the friendly name of the report and its category. 20 | 21 | .EXAMPLE 22 | PS C:\> Get-MCASReport | Get-MCASReportContent 23 | 24 | This example retrives the reports list and pipes the list into the Get-MCASReportContent command to get the data for each one. 25 | #>function Get-MCASReport { 26 | [CmdletBinding()] 27 | param 28 | ( 29 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 30 | [Parameter(Mandatory=$false)] 31 | [ValidateNotNullOrEmpty()] 32 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 33 | ) 34 | 35 | # Get the matching items and handle errors 36 | try { 37 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/reports/" -Method Get 38 | } 39 | catch { 40 | throw "Error calling MCAS API. The exception was: $_" 41 | } 42 | 43 | $response = $response.data 44 | 45 | try { 46 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value _id -PassThru | ForEach-Object {Add-Member -InputObject $_ -MemberType NoteProperty -Name FriendlyName -Value $ReportsListReverse.Get_Item($_.non_entities_report) -PassThru} 47 | } 48 | catch {} 49 | 50 | $response 51 | } -------------------------------------------------------------------------------- /Functions/Get-MCASReportContent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Get-MCASReportContent retrieves built-in reports from Cloud App Security. 4 | .DESCRIPTION 5 | Retrieves report data from the built-in reports. 6 | .EXAMPLE 7 | PS C:\> Get-MCASReportContent -ReportName 'Browser Use' | select @{N='Browser';E={$_.unique_identifier}}, @{N='User Count';E={$_.record_data.users.count}} | sort -Property 'User Count' -Descending 8 | 9 | Browser User Count 10 | ------- ---------- 11 | chrome_53.0.2785.143 4 12 | chrome_54.0.2840.71 4 13 | unknown_ 4 14 | microsoft bits_7.8 3 15 | microsoft exchange_ 3 16 | microsoft exchange rpc_ 2 17 | edge_14.14393 2 18 | ie_11.0 2 19 | microsoft onenote_16.0.7369.5783 1 20 | apache-httpclient_4.3.5 1 21 | ie_9 1 22 | skype for business_16.0.7369.2038 1 23 | mobile safari_10.0 1 24 | microsoft web application companion_ 1 25 | chrome_54.0.2840.87 1 26 | microsoft excel_1.26.1007 1 27 | microsoft skydrivesync_17.3.6517.0809 1 28 | 29 | This example retrives the Browser Use report, shows the browser name and user count columns, and sorts by user count descending. 30 | #> 31 | function Get-MCASReportContent { 32 | [CmdletBinding()] 33 | param 34 | ( 35 | # Fetches a report by its unique name identifier. 36 | [Parameter(Mandatory=$true, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Position=0)] 37 | [ValidateNotNullOrEmpty()] 38 | [ValidateSet('Browser Use','Privileged Users','Salesforce Special Privileged Accounts','Data Sharing Overview','Outbound Sharing by Domain')] 39 | [Alias("FriendlyName")] 40 | [string]$ReportName, 41 | 42 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 43 | [Parameter(Mandatory=$false)] 44 | [ValidateNotNullOrEmpty()] 45 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 46 | ) 47 | process 48 | { 49 | $target = $ReportsList.$ReportName 50 | 51 | # Get the matching items and handle errors 52 | try { 53 | Write-Verbose "Retrieving report $target" 54 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/reports/$target/" -Method Get 55 | } 56 | catch { 57 | throw "Error calling MCAS API. The exception was: $_" 58 | } 59 | 60 | $response = $response.data 61 | 62 | $response 63 | } 64 | } -------------------------------------------------------------------------------- /Functions/Get-MCASSiemAgent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Get-MCASSiemAgent retrieves a list of available discovery streams. 4 | .DESCRIPTION 5 | Discovery streams are used to separate or aggregate discovery data. Stream ID's are needed when pulling discovered app data. 6 | .EXAMPLE 7 | PS C:\> (Get-MCASSiemAgent | ?{$_.displayName -eq 'Global View'})._id 8 | 9 | 57869acdb4b3d5154f095af7 10 | 11 | This example retrives the global stream ID. 12 | #> 13 | function Get-MCASSiemAgent { 14 | [CmdletBinding()] 15 | param 16 | ( 17 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 18 | [Parameter(Mandatory=$false)] 19 | [ValidateNotNullOrEmpty()] 20 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 21 | ) 22 | 23 | try { 24 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/agents/siem/" -Method Get 25 | } 26 | catch { 27 | throw "Error calling MCAS API. The exception was: $_" 28 | } 29 | 30 | $response = $response.data 31 | 32 | try { 33 | Write-Verbose "Adding alias property to results, if appropriate" 34 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 35 | } 36 | catch {} 37 | 38 | $response 39 | } -------------------------------------------------------------------------------- /Functions/Get-MCASSiemAgentJarFile.ps1: -------------------------------------------------------------------------------- 1 | function Get-MCASSiemAgentJarFile 2 | { 3 | [CmdletBinding()] 4 | param() 5 | 6 | Write-Verbose 'Attempting to download the MCAS SIEM Agent zip file from Microsoft Download Center...' 7 | try { 8 | $siemAgentDownloadUrl = ((Invoke-WebRequest -Uri 'https://www.microsoft.com/en-us/download/confirmation.aspx?id=54537' -UseBasicParsing).Links | Where-Object {$_.'data-bi-cN' -eq 'click here to download manually'} | Select-Object -First 1).href 9 | $siemAgentZipFileName = $siemAgentDownloadUrl.Split('/') | Select-Object -Last 1 10 | $siemAgentDownloadResult = Invoke-WebRequest -Uri $siemAgentDownloadUrl -UseBasicParsing -OutFile "$pwd\$siemAgentZipFileName" 11 | Write-Verbose "$siemAgentDownloadResult" 12 | 13 | Write-Verbose 'Attempting to extract the MCAS SIEM Agent jar file from the downloaded zip file.' 14 | Add-Type -AssemblyName System.IO.Compression.FileSystem 15 | [System.IO.Compression.ZipFile]::ExtractToDirectory("$pwd\$siemAgentZipFileName", $pwd) 16 | $jarFile = $siemAgentZipFileName.TrimEnd('.zip') 17 | Write-Verbose "The extracted MCAS SIEM Agent JAR file is $pwd\$jarFile" 18 | } 19 | catch { 20 | throw "Something went wrong when attempting to download or extract the MCAS SIEM Agent zip file. The error was: $_" 21 | } 22 | 23 | Write-Verbose 'Attempting to cleanup the MCAS SIEM Agent zip file.' 24 | try { 25 | Remove-Item "$pwd\$siemAgentZipFileName" -Force 26 | } 27 | catch { 28 | Write-Warning "Something went wrong when attempting to cleanup the MCAS SIEM Agent zip file. The error was: $_" 29 | } 30 | 31 | "$pwd\$jarFile" 32 | } -------------------------------------------------------------------------------- /Functions/Get-MCASStream.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Get-MCASStream retrieves a list of available discovery streams. 4 | .DESCRIPTION 5 | Discovery streams are used to separate or aggregate discovery data. Stream ID's are needed when pulling discovered app data. 6 | .EXAMPLE 7 | PS C:\> (Get-MCASStream | ?{$_.displayName -eq 'Global View'})._id 8 | 9 | 57869acdb4b3d5154f095af7 10 | 11 | This example retrives the global stream ID. 12 | #> 13 | function Get-MCASStream { 14 | [CmdletBinding()] 15 | param 16 | ( 17 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 18 | [Parameter(Mandatory=$false)] 19 | [ValidateNotNullOrEmpty()] 20 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 21 | ) 22 | 23 | try { 24 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/discovery/streams/" -Method Get 25 | } 26 | catch { 27 | throw "Error calling MCAS API. The exception was: $_" 28 | } 29 | 30 | $response = $response.streams 31 | 32 | try { 33 | Write-Verbose "Adding alias property to results, if appropriate" 34 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 35 | } 36 | catch {} 37 | 38 | $response 39 | } -------------------------------------------------------------------------------- /Functions/Get-MCASSubnetCollection.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Lists the subnet collections that are defined in MCAS for enrichment of IP address information. 4 | .DESCRIPTION 5 | Get-MCASSubnetCollection gets subnet collections defined in the MCAS tenant. 6 | 7 | .EXAMPLE 8 | PS C:\> Get-MCASSubnetCollection 9 | 10 | category : 1 11 | subnets : {@{originalString=10.0.0.0/8; mask=104; address=0000:0000:0000:0000:0000:ffff:0a00:0000}} 12 | name : Contoso Internal IPs 13 | tags : {} 14 | location : 15 | _tid : 26034820 16 | organization : 17 | _id : 5a9e053df82b1bb8af51c802 18 | Identity : 5a9e053df82b1bb8af51c802 19 | 20 | category : 1 21 | subnets : {@{originalString=1.1.1.1/32; mask=128; address=0000:0000:0000:0000:0000:ffff:0101:0101}, 22 | @{originalString=2.2.2.2/32; mask=128; address=0000:0000:0000:0000:0000:ffff:0202:0202}} 23 | name : Contoso Egress IPs 24 | tags : {} 25 | location : 26 | _tid : 26034820 27 | organization : 28 | _id : 5a9e04c7f82b1bb8af51c7fb 29 | Identity : 5a9e04c7f82b1bb8af51c7fb 30 | 31 | .FUNCTIONALITY 32 | Get-MCASSubnetCollection is intended to return the subnet collections that are defined in MCAS. 33 | #> 34 | function Get-MCASSubnetCollection { 35 | [CmdletBinding()] 36 | param 37 | ( 38 | # Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 39 | [Parameter(Mandatory=$false)] 40 | [ValidateNotNullOrEmpty()] 41 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 42 | 43 | # Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 44 | [Parameter(ParameterSetName='List', Mandatory=$false)] 45 | [ValidateRange(1,100)] 46 | [int]$ResultSetSize = 100, 47 | 48 | # Specifies the number of records, from the beginning of the result set, to skip. 49 | [Parameter(ParameterSetName='List', Mandatory=$false)] 50 | [ValidateScript({$_ -gt -1})] 51 | [int]$Skip = 0 52 | 53 | ) 54 | $body = @{'skip'=$Skip;'limit'=$ResultSetSize} # Base request body 55 | 56 | try { 57 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/subnet/" -Method Post -Body $body 58 | } 59 | catch { 60 | throw $_ #Exception handling is in Invoke-MCASRestMethod, so here we just want to throw it back up the call stack, with no additional logic 61 | } 62 | 63 | $response = $response.data 64 | 65 | try { 66 | Write-Verbose "Adding alias property to results, if appropriate" 67 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 68 | } 69 | catch {} 70 | 71 | $response 72 | } -------------------------------------------------------------------------------- /Functions/Get-MCASUserGroup.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Retrieves groups that are available for use in MCAS filters and policies. 4 | .DESCRIPTION 5 | Get-MCASUserGroup gets groups that are available for use in MCAS filters and policies. 6 | 7 | .EXAMPLE 8 | Get-MCASUserGroup 9 | 10 | PS C:\> Get-MCASUserGroup 11 | 12 | status : 0 13 | lastUpdatedTimestamp : 1506613547015 14 | name : Office 365 administrator 15 | nameTemplate : @{parameters=; template=SAGE_ADMIN_USERS_TAGS_GENERATOR_QUERY_BASED_USER_TAG_NAME} 16 | description : Company administrators, user account administrators, helpdesk administrators, service 17 | support administrators, and billing administrators 18 | descriptionTemplate : @{template=SAGE_ADMIN_USERS_TAGS_GENERATOR_O365_DESCRIPTION} 19 | visibility : 0 20 | usersCount : 1 21 | source : @{addCondition=; removeCondition=; type=2; appId=11161} 22 | successfullyImportedBySage : True 23 | _tid : 26034820 24 | appId : 11161 25 | lastScannedBySage : 1511881457181 26 | generatorType : 0 27 | _id : 59cd1847321708f4acbe8c1f 28 | type : 2 29 | id : 59cd1847321708f4acbe8c1e 30 | target : 0 31 | 32 | .FUNCTIONALITY 33 | Get-MCASUserGroup is intended to return the properties of the groups that are available for use in MCAS. 34 | #> 35 | function Get-MCASUserGroup { 36 | [CmdletBinding()] 37 | param ( 38 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 39 | [Parameter(Mandatory=$false)] 40 | [ValidateNotNullOrEmpty()] 41 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 42 | 43 | # Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 44 | [Parameter(Mandatory=$false)] 45 | [ValidateRange(1,100)] 46 | [int]$ResultSetSize = 100, 47 | 48 | # Specifies the number of records, from the beginning of the result set, to skip. 49 | [Parameter(Mandatory=$false)] 50 | [ValidateScript({$_ -ge 0})] 51 | [int]$Skip = 0 52 | ) 53 | 54 | $body = @{ 55 | 'skip'=$Skip 56 | 'limit'=$ResultSetSize 57 | } 58 | 59 | # MAYBE ADD FILTERS IN FUTURE 60 | # "app":{"eq":[11161,20893,26055,15600,26324,20892,28375,11522]} 61 | 62 | try { 63 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/user_tags/" -Body $body -Method Post 64 | } 65 | catch { 66 | throw "Error calling MCAS API. The exception was: $_" 67 | } 68 | 69 | $response = $response.data 70 | 71 | try { 72 | Write-Verbose "Adding alias property to results, if appropriate" 73 | $response = $response | Add-Member -MemberType AliasProperty -Name Identity -Value '_id' -PassThru 74 | } 75 | catch {} 76 | 77 | $response 78 | } -------------------------------------------------------------------------------- /Functions/Import-MCASCredential.ps1: -------------------------------------------------------------------------------- 1 | function Import-MCASCredential { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the app for which to retrieve the integer id value. 6 | [Parameter(Mandatory=$true, ValueFromPipeline=$false, Position=0)] 7 | [ValidateNotNullOrEmpty()] 8 | $Path 9 | ) 10 | process { 11 | Write-Verbose "Attempting to import MCAS credential from $Path" 12 | 13 | try { 14 | $importCred = Import-Clixml -Path $Path 15 | } 16 | catch { 17 | throw "The following error occurred when trying to import the credential object: $_" 18 | } 19 | 20 | #$pw = ConvertTo-SecureString -String ($imported.Password) -AsPlainText -Force 21 | 22 | $MCASCredential = New-Object -TypeName System.Management.Automation.PSCredential(($importCred.UserName),(ConvertTo-SecureString -String ($importCred.Password) -AsPlainText -Force)) 23 | 24 | $MCASCredential 25 | } 26 | } -------------------------------------------------------------------------------- /Functions/Import-MCASDynamicData.ps1: -------------------------------------------------------------------------------- 1 | function Import-MCASDynamicData { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 6 | [Parameter(Mandatory=$false)] 7 | [ValidateNotNullOrEmpty()] 8 | [System.Management.Automation.PSCredential]$Credential = $CASCredential 9 | ) 10 | $Global:IPTagsList = @{} 11 | Get-MCASTag | ForEach-Object { 12 | try { 13 | $IPTagsList.Add(($_.Name.Replace(' ','_')),$_.id) 14 | } 15 | catch {} 16 | } 17 | } -------------------------------------------------------------------------------- /Functions/Install-MCASSiemAgent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Install-MCASSiemAgent downloads and installs Java, downloads and unzips the MCAS SIEM Agent JAR file, and creates a scheduled task to auto-start the agent on startup. (This works on 64-bit Windows hosts only.) 4 | .DESCRIPTION 5 | Auto-deploy the MCAS SIEM Agent. 6 | .EXAMPLE 7 | Install-MCASSiemAgent -UseInteractiveJavaSetup -Token 'ZV9LS...dGBwb' 8 | 9 | This example will auto-deploy the MCAS SIEM Agent with the user experiencing an interactive Java installation process 10 | 11 | .EXAMPLE 12 | Install-MCASSiemAgent -TargetFolder 'C:\MCAS' -Force -Token 'ZV9LS...dGBwb' 13 | 14 | This example will auto-deploy the MCAS SIEM Agent in the C:\MCAS folder with no user interaction. 15 | 16 | #> 17 | function Install-MCASSiemAgent { 18 | [CmdletBinding()] 19 | param 20 | ( 21 | # Token to be used by this SIEM agent to communicate with MCAS (provided during SIEM Agent creation in the MCAS console) 22 | [Parameter(Mandatory=$true, Position=0)] 23 | [ValidateNotNullOrEmpty()] 24 | [ValidateScript({$_ -match $MCAS_TOKEN_VALIDATION_PATTERN})] 25 | [string]$Token, 26 | 27 | # Proxy address to be used for this SIEM agent for outbound communication to the MCAS service in the cloud 28 | [Parameter(Mandatory=$false)] 29 | [ValidateNotNullOrEmpty()] 30 | [string]$ProxyHost, 31 | 32 | # Proxy port number to be used for this SIEM agent to egress to MCAS cloud service (only applies if -ProxyHost is also used, default = 8080) 33 | [Parameter(Mandatory=$false)] 34 | [ValidateNotNullOrEmpty()] 35 | [ValidateRange(1,65535)] 36 | [int]$ProxyPort = 8080, 37 | 38 | # Target folder for installation of the SIEM Agent (default = "C:\MCAS-SIEM-Agent") 39 | [ValidateNotNullOrEmpty()] 40 | [string]$TargetFolder = 'C:\MCAS-SIEM-Agent', 41 | 42 | # Specifies whether to install Java interactively, if/when it is automatically installed. If this is not used, Java setup will be run silently 43 | [switch]$UseInteractiveJavaSetup, 44 | 45 | # Specifies whether to auto-download and silently install Java, if Java is not found on the machine 46 | [switch]$Force, 47 | 48 | # Specifies whether to start the SIEM Agent after installation 49 | [switch]$StartNow 50 | ) 51 | 52 | # Check system requirements 53 | Write-Verbose 'Checking for 64-bit Windows host' 54 | try { 55 | $sysInfo = Get-CimInstance Win32_OperatingSystem | Select-Object Caption,OSArchitecture 56 | $isWindows = $sysInfo.Caption -cmatch 'Windows' 57 | $is64Bit = $sysInfo.OSArchitecture -cmatch '64-bit' 58 | } 59 | catch { 60 | throw 'Error detecting host information. This command only works on 64-bit Windows hosts.' 61 | } 62 | if (-not ($isWindows -and $is64Bit)) { 63 | throw 'This does not appear to be a 64-bit Windows host. This command only works on 64-bit Windows hosts.' 64 | } 65 | Write-Verbose 'This host does appear to be running 64-bit Windows. Proceeding' 66 | 67 | 68 | # Check for the SIEM agent folder and .jar file 69 | Write-Verbose "Checking for an existing SIEM Agent JAR file in $TargetFolder" 70 | if (-not (Test-Path "$TargetFolder\mcas-siemagent-*-signed.jar")) { 71 | Write-Verbose "A JAR file for the MCAS SIEM Agent was not found in $TargetFolder" 72 | 73 | @($TargetFolder, "$TargetFolder\Logs") | ForEach-Object { 74 | Write-Verbose "Checking for $_" 75 | if (-not (Test-Path $_)) { 76 | Write-Verbose "$_ was not found, creating it" 77 | try { 78 | New-Item -ItemType Directory -Path $_ -Force | Out-Null 79 | } 80 | catch { 81 | throw "An error occurred creating $_. The error was $_" 82 | } 83 | } 84 | } 85 | 86 | Write-Verbose "Downloading and extracting the latest MCAS SIEM Agent JAR file to $pwd" 87 | $jarFile = Get-MCASSiemAgentJarFile 88 | 89 | Write-Verbose "Moving the MCAS SIEM Agent JAR file to $TargetFolder" 90 | $jarFinalPath = (Move-Item -Path "$jarFile" -Destination $TargetFolder -Force -PassThru).FullName 91 | Write-Verbose "Final jar file path is $jarFinalPath" 92 | } 93 | 94 | 95 | # Get the installation location of the latest Java engine that is installed, if there is one installed 96 | $javaExePath = Get-JavaExePath 97 | 98 | 99 | # If Java is not found, download and install it 100 | if (-not $javaExePath) { 101 | if (-not $Force) { 102 | # Prompt user for confirmation before proceeding with automatic Java download and installation 103 | if ((Read-Host 'CONFIRM: No Java installation was detected. Java will now be automatically downloaded and installed Java. Do you wish to continue?`n[Y] Yes or [N] No (default is "No"').ToLower() -ne 'y') { 104 | Write-Verbose "User chose not to proceed with automatic Java download and installation. Exiting" 105 | return 106 | } 107 | Write-Verbose "User chose to proceed with automatic Java download and installation. Continuing" 108 | } 109 | 110 | # Download Java 111 | $javaSetupFileName = Get-JavaInstallationPackage 112 | 113 | # Install Java 114 | try { 115 | if ($UseInteractiveJavaSetup) { 116 | Write-Verbose "Starting interactive Java setup" 117 | Start-Process "$javaSetupFileName" -Wait 118 | } 119 | else { 120 | Write-Verbose "Starting silent Java setup" 121 | Start-Process "$javaSetupFileName" -ArgumentList '/s' -Wait 122 | } 123 | } 124 | catch { 125 | throw "Something went wrong attempting to run the Java setup package. The error was $_" 126 | } 127 | Write-Verbose "Java setup seems to have finished" 128 | 129 | Write-Verbose "Cleaning up the Java setup package" 130 | try { 131 | Remove-Item "$javaSetupFileName" -Force 132 | } 133 | catch { 134 | Write-Warning ('Failed to clean up the Java setup exe file ({0})' -f "$javaSetupFileName") 135 | } 136 | 137 | # Get the installation location of the newly installed Java engine 138 | $javaExePath = Get-JavaExePath 139 | } 140 | 141 | 142 | # Check again for Java, which should be there now 143 | Write-Verbose "Checking again for Java, which should be there now" 144 | if (-not $javaExePath) { 145 | throw "There seems to still be a problem with the Java installation, it could not be found" 146 | } 147 | 148 | # Assemble the Java arguments 149 | if ($ProxyHost) { 150 | $javaArgs = '-jar {0} --logsDirectory {1} --token {2} --proxy {3}:{4} ' -f $jarFinalPath,"$TargetFolder\Logs",$Token,$ProxyHost,$ProxyPort 151 | } 152 | else { 153 | $javaArgs = '-jar {0} --logsDirectory {1} --token {2}' -f $jarFinalPath,"$TargetFolder\Logs",$Token 154 | } 155 | Write-Verbose "Arguments to be used for Java will be $javaArgs" 156 | 157 | 158 | # Create a scheduled task to auto-run the MCAS SIEM Agent 159 | Write-Verbose 'Creating an MCAS SIEM Agent scheduled task that will automatically run as SYSTEM upon startup on this host' 160 | try { 161 | # Assemble the components of the scheduled task 162 | $taskName = 'MCAS SIEM Agent' 163 | $taskAction = New-ScheduledTaskAction -Execute $javaExePath -WorkingDirectory $TargetFolder -Argument $javaArgs 164 | $taskPrincipal = New-ScheduledTaskPrincipal -Id Author -LogonType S4U -ProcessTokenSidType Default -UserId SYSTEM 165 | $taskTrigger = New-ScheduledTaskTrigger -AtStartup 166 | $taskSettings = New-ScheduledTaskSettingsSet -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -AllowStartIfOnBatteries -ExecutionTimeLimit 0 167 | 168 | # Create the scheduled task in the root folder of the tasks library 169 | $task = Register-ScheduledTask -TaskName $taskName -Action $taskAction -Principal $taskPrincipal -Description $taskName -Trigger $taskTrigger -Settings $taskSettings 170 | } 171 | catch { 172 | throw ('Something went wrong when creating the scheduled task named {0}' -f $taskName) 173 | } 174 | 175 | # Start the scheduled task 176 | if ($StartNow -and $task) { 177 | Write-Verbose 'Starting the MCAS SIEM Agent scheduled task' 178 | try { 179 | Start-ScheduledTask $taskName 180 | } 181 | catch { 182 | throw ('Something went wrong when starting the scheduled task named {0}' -f $taskName) 183 | } 184 | } 185 | } -------------------------------------------------------------------------------- /Functions/Invoke-FilePickerDialog.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-FilePickerDialog 2 | { 3 | [CmdletBinding()] 4 | param 5 | ( 6 | # Specifies the directory in which the picker will begin 7 | [string]$InitialDirectory = $PWD, 8 | 9 | # Specifies the file filter to be used 10 | [string]$Filter = 'All files|*.*', 11 | 12 | # Specifies the title for the dialog window 13 | [string]$Title 14 | ) 15 | [System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null 16 | 17 | $filePicker = New-Object System.Windows.Forms.OpenFileDialog 18 | 19 | Write-Verbose "InitialDirectory for file picker is $InitialDirectory" 20 | Write-Verbose "Filter for file picker is $Filter" 21 | $filePicker.initialDirectory = $InitialDirectory 22 | $filePicker.filter = $Filter 23 | $filePicker.title = $Title 24 | $filePicker.ShowDialog() | Out-Null 25 | 26 | $filePicker.filename 27 | } -------------------------------------------------------------------------------- /Functions/Invoke-MCASRestMethod.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-MCASRestMethod { 2 | [CmdletBinding()] 3 | param ( 4 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 5 | [Parameter(Mandatory = $true)] 6 | [ValidateNotNullOrEmpty()] 7 | [ValidateScript( { 8 | ($_.GetNetworkCredential().username).EndsWith('.portal.cloudappsecurity.com') 9 | })] 10 | [ValidateScript( { 11 | $_.GetNetworkCredential().Password -match ($MCAS_TOKEN_VALIDATION_PATTERN) 12 | })] 13 | [System.Management.Automation.PSCredential]$Credential, 14 | 15 | # Specifies the relative path of the full uri being invoked (e.g. - '/api/v1/alerts/') 16 | [Parameter(Mandatory = $true)] 17 | [ValidateNotNullOrEmpty()] 18 | [ValidateScript( { 19 | $_.StartsWith('/') 20 | })] 21 | [string]$Path, 22 | 23 | # Specifies the HTTP method to be used for the request 24 | [Parameter(Mandatory = $true)] 25 | [ValidateSet('Get', 'Post', 'Put', 'Delete')] 26 | [string]$Method, 27 | 28 | # Specifies the body of the request, not including MCAS query filters, which should be specified separately in the -FilterSet parameter 29 | [Parameter(Mandatory = $false)] 30 | [ValidateNotNullOrEmpty()] 31 | $Body, 32 | 33 | # Specifies the content type to be used for the request 34 | [Parameter(Mandatory = $false)] 35 | [ValidateNotNullOrEmpty()] 36 | [string]$ContentType = 'application/json', 37 | 38 | # Specifies the MCAS query filters to be used, which will be added to the body of the message 39 | [Parameter(Mandatory = $false)] 40 | [ValidateNotNull()] 41 | $FilterSet, 42 | 43 | # Specifies the retry interval, in seconds, if a call to the MCAS web API is throttled. Default = 5 (seconds) 44 | [Parameter(Mandatory = $false)] 45 | [ValidateNotNullOrEmpty()] 46 | [int]$RetryInterval = 5, 47 | 48 | # Specifies that a single item is to be fetched, skipping any processing for lists, such as checking result count totals 49 | #[switch]$Fetch, 50 | 51 | # Specifies use Invoke-WebRequest instead of Invoke-RestMethod, enabling the caller to get the raw response from the MCAS API without any JSON conversion 52 | [switch]$Raw 53 | ) 54 | #Ensure TLS 1.2 is used. 55 | if([Net.ServicePointManager]::SecurityProtocol -notmatch 'Tls12'){ 56 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 57 | } 58 | 59 | if ($Raw) { 60 | $cmd = 'Invoke-WebRequest' 61 | Write-Verbose "-Raw parameter was specified" 62 | } 63 | else { 64 | $cmd = 'Invoke-RestMethod' 65 | Write-Verbose "-Raw parameter was not specified" 66 | } 67 | Write-Verbose "$cmd will be used" 68 | 69 | $tenant = ($Credential.GetNetworkCredential().username) 70 | Write-Verbose "Tenant name is $tenant" 71 | 72 | Write-Verbose "Relative path is $Path" 73 | 74 | Write-Verbose "Method is $Method" 75 | 76 | $token = $Credential.GetNetworkCredential().Password 77 | #MK - Commenting out this line for security reasons. Not sure I like having the raw token in the verbose output. 78 | #Write-Verbose "OAuth token is $token" 79 | 80 | $headers = 'Authorization = "Token {0}"' -f $token | ForEach-Object { 81 | "@{$_}" 82 | } 83 | 84 | $verboseHeaders = $headers -replace 'Authorization = "Token .{9}', 'Authorization = "Token XXXXXXXXX' 85 | 86 | Write-Verbose "Request headers are $verboseHeaders" 87 | 88 | # Construct base MCAS call before processing -Body and -FilterSet 89 | $mcasCall = '{0} -Uri ''https://{1}{2}'' -Method {3} -Headers {4} -ContentType {5} -UseBasicParsing' -f $cmd, $tenant, $Path, $Method, $headers, $ContentType 90 | 91 | if ($Method -eq 'Get') { 92 | Write-Verbose "A request using the Get HTTP method cannot have a message body." 93 | } 94 | else { 95 | $jsonBody = $Body | ConvertTo-Json -Compress -Depth 4 96 | Write-Verbose "Base request body is $jsonBody" 97 | 98 | if ($FilterSet) { 99 | Write-Verbose "Request body before query filters is $jsonBody" 100 | $jsonBody = $jsonBody.TrimEnd('}') + ',' + '"filters":{' + ((ConvertTo-MCASJsonFilterString $FilterSet).TrimStart('{')) + '}' 101 | Write-Verbose "Request body after query filters is $jsonBody" 102 | } 103 | else { 104 | Write-Verbose "No filters were added to the request body" 105 | } 106 | Write-Verbose "Final request body is $jsonBody" 107 | 108 | # Add -Body to the constructed MCAS call, when the http method is not 'Get' 109 | $mcasCall = '{0} -Body ''{1}''' -f $mcasCall, $jsonBody 110 | } 111 | 112 | Write-Verbose "Constructed call to MCAS is to follow:" 113 | $mcasCall2 = '{0} -Uri ''https://{1}{2}'' -Method {3} -ContentType {5} -UseBasicParsing' -f $cmd, $tenant, $Path, $Method, $headers, $ContentType 114 | 115 | Write-Verbose $mcasCall2 116 | 117 | Write-Verbose "Retry interval if MCAS call is throttled is $RetryInterval seconds" 118 | 119 | # This loop is the actual call to MCAS. It includes automatic retry if the API call is throttled 120 | do { 121 | $retryCall = $false 122 | 123 | try { 124 | Write-Verbose "Attempting call to MCAS..." 125 | $response = Invoke-Expression -Command $mcasCall 126 | } 127 | catch { 128 | if ($_ -like 'The remote server returned an error: (429) TOO MANY REQUESTS.') { 129 | Write-Warning "429 - Too many requests. The MCAS API throttling limit has been hit, the call will be retried in $RetryInterval second(s)..." 130 | $retryCall = $true 131 | Write-Verbose "Sleeping for $RetryInterval seconds" 132 | Start-Sleep -Seconds $RetryInterval 133 | } 134 | ElseIf ($_ -match 'throttled') { 135 | Write-Warning "Too many requests. Usually the throttle time for this call is 1 minute. Next request will resume in 1 minute..." 136 | $retryCall = $true 137 | Write-Verbose "Sleeping for 60 seconds" 138 | Start-Sleep -Seconds 60 139 | } 140 | ElseIf ($_ -like '504' -or $_ -like '502') { 141 | Write-Warning "502 or 504 error encountered. The call will be retried in $RetryInterval second(s)..." 142 | $retryCall = $true 143 | Write-Verbose "Sleeping for $RetryInterval seconds" 144 | Start-Sleep -Seconds $RetryInterval 145 | } 146 | else { 147 | throw $_ 148 | } 149 | } 150 | 151 | # Uncomment following two lines if you want to see raw responses in -Verbose output 152 | #Write-Verbose 'MCAS response to follow:' 153 | #Write-Verbose $response 154 | } 155 | while ($retryCall) 156 | 157 | # Provide the total record count in -Verbose output and as InformationVariable, if appropriate 158 | if (@('Get', 'Post') -contains $Method) { 159 | if ($response.total) { 160 | Write-Verbose 'Checking total matching record count via the response properties...' 161 | $recordTotal = $response.total 162 | } 163 | elseif ($response.Content) { 164 | try { 165 | Write-Verbose 'Checking total matching record count via raw JSON response...' 166 | $recordTotal = (($response.content).Replace('"Level":','"Level_2":') | ConvertFrom-Json).total 167 | } 168 | catch { 169 | Write-Verbose 'JSON conversion failed. Checking total matching record count via raw response string extraction...' 170 | #below linew as commented out as it breaks with the new activities_kusto endpoint. 171 | #$recordTotal = ($response.Content.Split(',', 3) | Where-Object {$_.StartsWith('"total"')} | Select-Object -First 1).Split(':')[1] 172 | } 173 | } 174 | else { 175 | Write-Verbose 'Could not check total matching record count, perhaps because zero or one records were returned. Zero will be returned as the matching record count.' 176 | $recordTotal = 0 177 | } 178 | 179 | Write-Verbose ('The total number of matching records was {0}' -f $recordTotal) 180 | #removing the below line because it is now breaking certain cmdlets such as Get-MCASFile when retriving a file by identity 181 | #Write-Information $recordTotal 182 | } 183 | $response 184 | } -------------------------------------------------------------------------------- /Functions/New-MCASDiscoveryDataSource.ps1: -------------------------------------------------------------------------------- 1 | function New-MCASDiscoveryDataSource { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 6 | [Parameter(Mandatory=$false)] 7 | [ValidateNotNullOrEmpty()] 8 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 9 | 10 | # Specifies the name of the data source object to create 11 | [Parameter(Mandatory=$true)] 12 | [ValidateNotNullOrEmpty()] 13 | [ValidateLength(1,64)] 14 | [ValidatePattern('^[A-Za-z\d-_]+$')] 15 | [string]$Name, 16 | 17 | # Specifies the appliance type to use for the format of the block script 18 | [Parameter(Mandatory=$true)] 19 | [device_type]$DeviceType, 20 | 21 | # Specifies the type of receiver to create. Possible Values: FTP|Syslog-UDP|Syslog-TCP 22 | [Parameter(Mandatory=$true)] 23 | [ValidateSet('FTP','FTPS','Syslog-UDP','Syslog-TCP','Syslog-TLS')] 24 | [string]$ReceiverType, 25 | 26 | # Specifies whether to replace the usernames with anonymized identifiers in MCAS (audited de-anonymization of these identifiers is possible) 27 | [switch]$AnonymizeUsers 28 | ) 29 | 30 | $body = [ordered]@{'anonymizeUsers'=$AnonymizeUsers;'displayName'=$Name;'logType'=($DeviceType -as [int]);} 31 | 32 | switch ($ReceiverType) { 33 | 'FTP' { 34 | $body.Add('receiverType','ftp') 35 | $body.Add('receiverTypeFull','ftp') 36 | } 37 | 'FTPS' { 38 | $body.Add('receiverType','ftps') 39 | $body.Add('receiverTypeFull','ftps') 40 | } 41 | 'Syslog-UDP' { 42 | $body.Add('protocol','udp') 43 | $body.Add('receiverType','syslog') 44 | $body.Add('receiverTypeFull','syslog-udp') 45 | } 46 | 'Syslog-TCP' { 47 | $body.Add('protocol','tcp') 48 | $body.Add('receiverType','syslog') 49 | $body.Add('receiverTypeFull','syslog-tcp') 50 | } 51 | 'Syslog-TLS' { 52 | $body.Add('protocol','tls') 53 | $body.Add('receiverType','syslog') 54 | $body.Add('receiverTypeFull','syslog-tls') 55 | } 56 | } 57 | 58 | try { 59 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/discovery/data_sources/" -Method Post -Body $body 60 | } 61 | catch { 62 | throw "Error calling MCAS API. The exception was: $_" 63 | } 64 | } -------------------------------------------------------------------------------- /Functions/New-MCASGroupImport.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | New-MCASGroupImport is used to specify new Azure AD groups to import into Microsoft Cloud App Security. 4 | .DESCRIPTION 5 | User groups cannot be used to filter your data in MCAS until the group has been imported. This cmdlet allows you to pass in an Azure AD group object ID (GUID) to be imported. 6 | .EXAMPLE 7 | New-MCASGroupImport -GroupId '2fa66bee-8227-460a-8227-e72a70524d2d' 8 | 9 | This example passes in a single group ID to be imported. If successful, you will receive a unique identifier back as a response. If the group has already been imported, you will receive an error telling you the tag has already been imported. 10 | 11 | .EXAMPLE 12 | $listOfGroups = ('a7052bee-8227-460a-8227-e72a70524d2d', 'e72a7bee-8227-460a-8227-e72a70524d2d'. '24d2dbee-8227-460a-8227-e72a70524d2d') 13 | 14 | $listOfGroups | Foreach-Object {New-MCASGroupImport -GroupId $_} 15 | 16 | This example stores a list of group ID's in an array and then passes that list into the cmdlet through a foreach loop, importing all groups. This can be useful if you have a text file full of group ID's or if you plan to pull ID's programmatically from AAD via Graph API. 17 | #> 18 | function New-MCASGroupImport { 19 | [CmdletBinding()] 20 | param 21 | ( 22 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 23 | [Parameter(Mandatory=$false)] 24 | [ValidateNotNullOrEmpty()] 25 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 26 | 27 | # The Azure AD Group ID (GUID) to be imported 28 | [Parameter(Mandatory=$true, Position=0)] 29 | [ValidateNotNullOrEmpty()] 30 | [ValidatePattern({^[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$})] 31 | [string]$GroupId, 32 | 33 | # Set to $true if you wish to be notified after the group is imported. Default is $false 34 | [Parameter(Mandatory=$false, Position=1)] 35 | [ValidateNotNullOrEmpty()] 36 | [boolean]$ShouldNotify = $false 37 | ) 38 | 39 | try { 40 | $body = @{ 41 | groupId = $groupId 42 | appId = 11161 #O365 43 | shouldNotify = $ShouldNotify 44 | } 45 | $response = Invoke-MCASRestMethod -Credential $Credential -body $body -Path "/cas/api/v1/user_tags/create_tag/" -Method Post 46 | } 47 | catch { 48 | throw "Error calling MCAS API. The exception was: $_" 49 | } 50 | 51 | $response 52 | } -------------------------------------------------------------------------------- /Functions/New-MCASSiemAgentToken.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | New-MCASSiemAgentToken 4 | .DESCRIPTION 5 | 6 | .EXAMPLE 7 | 8 | #> 9 | function New-MCASSiemAgentToken { 10 | [CmdletBinding()] 11 | param 12 | ( 13 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 14 | [Parameter(Mandatory=$false)] 15 | [ValidateNotNullOrEmpty()] 16 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 17 | 18 | # Fetches a SIEM object by its unique identifier. 19 | [Parameter(Mandatory=$true, Position=0)] 20 | [ValidateNotNullOrEmpty()] 21 | [ValidatePattern({^[A-Fa-f0-9]{24}$})] 22 | [Alias("_id")] 23 | [string]$Identity 24 | ) 25 | 26 | try { 27 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/agents/siem/$Identity/generate/" -Method Post 28 | } 29 | catch { 30 | throw "Error calling MCAS API. The exception was: $_" 31 | } 32 | 33 | $response = $response.token 34 | 35 | $response 36 | } -------------------------------------------------------------------------------- /Functions/New-MCASSubnetCollection.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Defines new subnet collections in MCAS for enrichment of IP address information. 4 | .DESCRIPTION 5 | New-MCASSubnetCollection creates subnet collections in the MCAS tenant. 6 | 7 | .EXAMPLE 8 | PS C:\> New-MCASSubnetCollection -Name 'Contoso Egress IPs' -Category Corporate -Subnets '1.1.1.1/32','2.2.2.2/32' 9 | 5a9e04c7f82b1bb8af51c7fb 10 | 11 | .EXAMPLE 12 | PS C:\> New-MCASSubnetCollection -Name 'Contoso Internal IPs' -Category Corporate -Subnets '10.0.0.0/8' -Quiet 13 | 14 | .FUNCTIONALITY 15 | New-MCASSubnetCollection is intended to return the unique id of the subnet collections that it creates in the MCAS tenant. 16 | #> 17 | function New-MCASSubnetCollection { 18 | [CmdletBinding()] 19 | param 20 | ( 21 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 22 | [Parameter(Mandatory=$false)] 23 | [ValidateNotNullOrEmpty()] 24 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 25 | 26 | [Parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)] 27 | [ValidateNotNullOrEmpty()] 28 | [string]$Name, 29 | 30 | [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=1)] 31 | [ValidateNotNullOrEmpty()] 32 | [ip_category]$Category, 33 | 34 | [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=2)] 35 | [ValidateNotNullOrEmpty()] 36 | [ValidatePattern('^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\/\d{1,2}$|^[a-zA-Z0-9:]{3,39}\/\d{1,3}$')] 37 | [string[]]$Subnets, 38 | 39 | [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=3)] 40 | [ValidateNotNullOrEmpty()] 41 | [string]$Organization, 42 | 43 | [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=4)] 44 | [ValidateNotNullOrEmpty()] 45 | [string[]]$Tags, 46 | 47 | [Parameter(Mandatory=$false)] 48 | [Switch]$Quiet 49 | ) 50 | process { 51 | $body = [ordered]@{'name'=$Name;'category'=($Category -as [int]);'subnets'=$Subnets} 52 | 53 | if ($Tags) { 54 | $body.Add('tags',$Tags) 55 | } 56 | 57 | if ($Organization) { 58 | $body.Add('organization',$Organization) 59 | } 60 | 61 | try { 62 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/subnet/create_rule/" -Method Post -Body $body 63 | } 64 | catch { 65 | throw "Error calling MCAS API. The exception was: $_" 66 | } 67 | 68 | if (!$Quiet) { 69 | $response 70 | } 71 | } 72 | } -------------------------------------------------------------------------------- /Functions/Remove-MCASAdminAccess.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Removes administrators from the MCAS portal. 4 | .DESCRIPTION 5 | Removce-MCASAdminAccess removes explicit MCAS admin roles from users assigned them within MCAS. 6 | 7 | .EXAMPLE 8 | PS C:\> Remove-MCASAdminAccess -Username 'alice@contoso.com' 9 | 10 | .EXAMPLE 11 | PS C:\> Remove-MCASAdminAccess 'bob@contoso.com' 12 | 13 | .FUNCTIONALITY 14 | Remove-MCASAdminAccess is intended to remove administrators from an MCAS tenant. 15 | #> 16 | function Remove-MCASAdminAccess { 17 | [CmdletBinding()] 18 | param 19 | ( 20 | # Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 21 | [Parameter(Mandatory=$false)] 22 | [ValidateNotNullOrEmpty()] 23 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 24 | 25 | [Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Position=0)] 26 | [ValidateNotNullOrEmpty()] 27 | [string]$Username 28 | ) 29 | 30 | $objectIdToRemove = (Get-MCASAdminAccess | Where-Object {$_.username -eq $Username}).objectId 31 | 32 | if ($objectIdToRemove.count -eq 0) { 33 | Write-Warning "$Username is not listed as an administrator of Cloud App Security." 34 | } 35 | else { 36 | try { 37 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/v1/manage_admin_access/$objectIdToRemove/" -Method Delete 38 | } 39 | catch { 40 | throw "Error calling MCAS API. The exception was: $_" 41 | } 42 | } 43 | } -------------------------------------------------------------------------------- /Functions/Remove-MCASDiscoveryDataSource.ps1: -------------------------------------------------------------------------------- 1 | function Remove-MCASDiscoveryDataSource { 2 | [CmdletBinding()] 3 | param 4 | ( 5 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 6 | [Parameter(Mandatory=$false)] 7 | [ValidateNotNullOrEmpty()] 8 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 9 | 10 | # Specifies the name of the data source object to create 11 | [Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Position=0)] 12 | [alias("_id")] 13 | [string]$Identity 14 | ) 15 | begin { 16 | Write-Verbose "Checking current data sources" 17 | $currentDataSources = Get-MCASDiscoveryDataSource -Credential $Credential 18 | } 19 | process { 20 | if ($currentDataSources.Identity.Contains($Identity)) { 21 | if (($currentDataSources | Where-Object {$_.Identity -eq $Identity}).receiverType -ne 'builtin') { 22 | try { 23 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/discovery/data_sources/$Identity/" -Method Delete 24 | } 25 | catch { 26 | throw "Error calling MCAS API. The exception was: $_" 27 | } 28 | } 29 | else { 30 | Write-Warning "The data source with id $Identity is built-in and cannot be removed. It will be skipped." 31 | } 32 | } 33 | else { 34 | Write-Warning "There is no data source with the id of $Identity. No changes were made." 35 | } 36 | } 37 | end { 38 | } 39 | } -------------------------------------------------------------------------------- /Functions/Remove-MCASSubnetCollection.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Removes a subnet collection in MCAS, as specified by its unique id 4 | .DESCRIPTION 5 | Remove-MCASSubnetCollection deletes subnet collections in the MCAS tenant. 6 | 7 | .EXAMPLE 8 | PS C:\> Remove-MCASSubnetCollection -Identity '5a9e04c7f82b1bb8af51c7fb' 9 | 10 | .EXAMPLE 11 | PS C:\> Get-MCASSubnetCollection | Remove-MCASSubnetCollection 12 | 13 | .FUNCTIONALITY 14 | Remove-MCASSubnetCollection is intended to remove the specified subnet collection from the MCAS tenant. 15 | #> 16 | function Remove-MCASSubnetCollection { 17 | [CmdletBinding()] 18 | Param 19 | ( 20 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 21 | [Parameter(Mandatory=$false)] 22 | [ValidateNotNullOrEmpty()] 23 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 24 | 25 | [Parameter(ParameterSetName='ById',Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Position=0)] 26 | [ValidateNotNullOrEmpty()] 27 | [ValidatePattern("[a-z0-9]{24}")] 28 | [alias("_id")] 29 | [string]$Identity, 30 | 31 | [Parameter(ParameterSetName='ByName',Mandatory=$true,ValueFromPipeline=$false)] 32 | [ValidateNotNullOrEmpty()] 33 | [string]$Name, 34 | 35 | [Parameter(Mandatory=$false)] 36 | [Switch]$Quiet 37 | ) 38 | 39 | process { 40 | if ($PSCmdlet.ParameterSetName -eq 'ByName') { 41 | Write-Verbose "Parameter set 'ByName' detected" 42 | 43 | Get-MCASSubnetCollection -Credential $Credential | ForEach-Object { 44 | if ($_.Name -eq $Name) { 45 | $SubnetId = $_.Identity 46 | $NameOrIdTargeted = $Name 47 | } 48 | } 49 | } 50 | elseif ($PSCmdlet.ParameterSetName -eq 'ById') { 51 | Write-Verbose "Parameter set 'ById' detected" 52 | $SubnetId = $Identity 53 | $NameOrIdTargeted = $SubnetId 54 | } 55 | else { 56 | Write-Verbose "Parameter set not detected" 57 | Write-Error "Could not determine identity of subnet to be deleted" 58 | } 59 | 60 | try { 61 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/subnet/$SubnetId/" -Method Delete 62 | } 63 | catch { 64 | throw "Error calling MCAS API. The exception was: $_" 65 | } 66 | 67 | if (!$Quiet) { 68 | $Success 69 | } 70 | } 71 | } -------------------------------------------------------------------------------- /Functions/Send-MCASDiscoveryLog.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Uploads a proxy/firewall log file to a Cloud App Security tenant for discovery. 4 | .DESCRIPTION 5 | Send-MCASDiscoveryLog uploads an edge device log file to be analyzed for SaaS discovery by Cloud App Security. 6 | 7 | When using Send-MCASDiscoveryLog, you must provide a log file by name/path and a log file type, which represents the source firewall or proxy device type. Also required is the name of the discovery data source with which the uploaded log should be associated; this can be created in the console. 8 | 9 | Send-MCASDiscoveryLog does not return any value 10 | 11 | .EXAMPLE 12 | PS C:\> Send-MCASDiscoveryLog -LogFile C:\Users\Alice\MyFirewallLog.log -LogType CISCO_IRONPORT_PROXY -DiscoveryDataSource 'My CAS Discovery Data Source' 13 | 14 | This uploads the MyFirewallLog.log file to CAS for discovery, indicating that it is of the CISCO_IRONPORT_PROXY log format, and associates it with the data source name called 'My CAS Discovery Data Source' 15 | 16 | .FUNCTIONALITY 17 | Uploads a proxy/firewall log file to a Cloud App Security tenant for discovery. 18 | #> 19 | function Send-MCASDiscoveryLog { 20 | [CmdletBinding()] 21 | param 22 | ( 23 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 24 | [Parameter(Mandatory=$false)] 25 | [ValidateNotNullOrEmpty()] 26 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 27 | 28 | # The full path of the Log File to be uploaded, such as 'C:\mylogfile.log'. 29 | [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)] 30 | [Validatescript({Test-Path $_})] 31 | [Validatescript({(Get-Item $_).Length -le 5GB})] 32 | [alias("FullName")] 33 | [string]$LogFile, 34 | 35 | # Specifies the source device type of the log file. 36 | [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=1)] 37 | [ValidateNotNullOrEmpty()] 38 | [device_type]$LogType, 39 | 40 | # Specifies the discovery data source name as reflected in your CAS console, such as 'US West Microsoft ASA'. 41 | [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=2)] 42 | [ValidateNotNullOrEmpty()] 43 | [string]$DiscoveryDataSource, 44 | 45 | # Specifies that the uploaded log file should be made into a snapshot report, in which case the value provided for -DiscoveryDataSource will become the snapshot report name. 46 | [switch]$UploadAsSnapshot, 47 | 48 | # Specifies that the uploaded log file should be deleted after the upload operation completes. 49 | [alias("dts")] 50 | [switch]$Delete 51 | ) 52 | begin {} 53 | process 54 | { 55 | Write-Verbose "Checking for the file $LogFile" 56 | try { 57 | $fileName = (Get-Item $LogFile).Name 58 | $fileSize = (Get-Item $LogFile).Length 59 | } 60 | catch { 61 | throw "Could not get $LogFile : $_" 62 | } 63 | 64 | 65 | Write-Verbose "Requesting a target URL to which $LogFile can be uploaded" 66 | try { 67 | $getUploadUrlResponse = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/discovery/upload_url/?filename=$fileName&source=$LogType" -Method Get 68 | 69 | $uploadUrl = $getUploadUrlResponse.url 70 | } 71 | catch { 72 | throw "Something went wrong trying to get the target URL for $LogFile. The exception was: $_" 73 | } 74 | Write-Verbose "The target URL to which $LogFile will be uploaded is $uploadUrl" 75 | 76 | 77 | Write-Verbose "Setting the transfer mode based on log file size" 78 | if (($getUploadUrlResponse.provider -eq 'azure') -and ($fileSize -le 64mb)) { 79 | $fileUploadHeader = @{'x-ms-blob-type'='BlockBlob'} 80 | Write-Verbose "The file is 64MB or smaller, so the following header and value will be used: x-ms-blob-type: BlockBlob" 81 | } 82 | elseif (($getUploadUrlResponse.provider -eq 'azure') -and ($fileSize -gt 64mb)) { 83 | $fileUploadHeader = @{'Transfer-Encoding'='chunked'} 84 | Write-Verbose "The file is larger than 64MB, so the following header and value will be used: Transfer-Encoding: chunked" 85 | } 86 | 87 | 88 | Write-Verbose "The file $LogFile will now be uploaded to $uploadUrl" 89 | try 90 | { 91 | $fileUploadResponse = Invoke-RestMethod -Uri $uploadUrl -InFile $LogFile -Headers $fileUploadHeader -Method Put -UseBasicParsing 92 | } 93 | catch { 94 | throw "File upload failed. The exception was: $_" 95 | } 96 | Write-Verbose "The upload of file $LogFile seems to have succeeded" 97 | 98 | 99 | if ($UploadAsSnapshot) { 100 | Write-Verbose 'The parameter -UploadAsSnapshot was specified, so the message body will include the "uploadAsSnapshot" parameter' 101 | $body = @{'uploadUrl'=$uploadUrl;'inputStreamName'=$DiscoveryDataSource;'uploadAsSnapshot'=$true} 102 | } 103 | else { 104 | Write-Verbose 'The parameter -UploadAsSnapshot was not specified, so the message body will not include the "uploadAsSnapshot" parameter' 105 | $body = @{'uploadUrl'=$uploadUrl;'inputStreamName'=$DiscoveryDataSource} 106 | } 107 | 108 | 109 | Write-Verbose "The upload of $LogFile will now be finalized" 110 | try { 111 | $finalizeUploadResponse = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/discovery/done_upload/" -Body $body -Method Post 112 | } 113 | catch { 114 | throw "Something went wrong trying to finalize the upload of $LogFile. The exception was: $_" 115 | } 116 | Write-Verbose "The finalizing of the upload of $LogFile seems to have succeeded" 117 | 118 | 119 | if ($Delete) { 120 | Write-Verbose "The -Delete parameter was specified, so $LogFile will now be deleted" 121 | try { 122 | Remove-Item $LogFile -Force 123 | } 124 | catch { 125 | Write-Warning "The file $LogFile could not be deleted. The exception was: $_" 126 | } 127 | Write-Verbose "The deletion of $LogFile seems to have succeeded" 128 | } 129 | } 130 | end {} 131 | } -------------------------------------------------------------------------------- /Functions/Set-MCASAlert.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Sets the status of alerts in Cloud App Security. 4 | 5 | .DESCRIPTION 6 | Sets the status of alerts in Cloud App Security and requires a credential be provided. 7 | 8 | There are two parameter sets: 9 | 10 | MarkAs: Used for marking an alert as 'Read' or 'Unread'. 11 | Dismiss: Used for marking an alert as 'Dismissed'. 12 | 13 | An alert identity is always required to be specified either explicity or implicitly from the pipeline. 14 | 15 | .EXAMPLE 16 | PS C:\> Set-MCASAlert -Identity cac1d0ec5734e596e6d785cc -MarkAs Read 17 | 18 | This marks a single specified alert as 'Read'. 19 | 20 | .EXAMPLE 21 | PS C:\> Set-MCASAlert -Identity cac1d0ec5734e596e6d785cc -Dismiss 22 | 23 | This will set the status of the specified alert as "Dismissed". 24 | 25 | .EXAMPLE 26 | PS C:\> $IdList = Get-MCASAlert -resultsetsize 10 | Select -expand Identity 27 | Set-MCASAlert -BulkDismiss $IdList 28 | 29 | This will perform a bulk dismiss on an array of 10 ID's. 30 | 31 | .FUNCTIONALITY 32 | Set-MCASAlert is intended to function as a mechanism for setting the status of alerts Cloud App Security. 33 | #> 34 | function Set-MCASAlert { 35 | [CmdletBinding()] 36 | param 37 | ( 38 | # Fetches an alert object by its unique identifier. 39 | [Parameter(ParameterSetName='Fetch', Mandatory=$true, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Position=0)] 40 | [ValidateNotNullOrEmpty()] 41 | [ValidatePattern({^[A-Fa-f0-9]{24}$})] 42 | [Alias("_id")] 43 | [string]$Identity, 44 | 45 | # Specifies the credential object containing tenant as username (e.g. 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 46 | [Parameter(Mandatory=$false)] 47 | [ValidateNotNullOrEmpty()] 48 | [System.Management.Automation.PSCredential]$Credential = $CASCredential, 49 | 50 | # Specifies how to mark the alert. Possible Values: 'Read', 'Unread'. 51 | [Parameter(Mandatory=$false)] 52 | [ValidateSet('Read','Unread')] 53 | [string]$MarkAs, 54 | 55 | # Specifies that the alert should be dismissed. 56 | [Parameter(Mandatory=$false)] 57 | [switch]$Dismiss, 58 | 59 | # Bulk dismiss an array of ID's. This parameter expects a single list of Id's in array format. Note, this API call only accepts 100 ID's at a time, so if you pass in more than 100 this cmdlet will break them into chunks for each call automatically. 60 | [Parameter(ParameterSetName='BulkDismiss', Mandatory=$false, ValueFromPipeline=$true)] 61 | [array]$BulkDismiss, 62 | 63 | # Bulk reopen an array of ID's. This parameter expects a single list of Id's in array format. Note, this API call only accepts 100 ID's at a time, so if you pass in more than 100 this cmdlet will break them into chunks for each call automatically. 64 | [Parameter(ParameterSetName='BulkReopen', Mandatory=$false, ValueFromPipeline=$true)] 65 | [array]$BulkReopen, 66 | 67 | # Comment - Relevant for the bulk parameters, but not ready to add this yet to release. 68 | #[Parameter(Mandatory=$false, ValueFromPipeline=$false)] 69 | #[string]$Comment = "Bulk Dismiss", 70 | 71 | [Parameter(Mandatory=$false)] 72 | [Switch]$Quiet 73 | ) 74 | begin{ 75 | } 76 | process 77 | { 78 | 79 | if (!($MarkAs -or $Dismiss -or $BulkDismiss -or $BulkReopen)) { 80 | throw "You must specify at least one of the following: -MarkAs, -Dismiss, -BulkDismiss, or -BulkReopen." 81 | } 82 | 83 | if ($Dismiss) { 84 | $Action = 'dismiss' 85 | try { 86 | # Set the alert's state by its id 87 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/alerts/$Identity/$Action/" -Method Post 88 | } 89 | catch { 90 | throw "Error calling MCAS API. The exception was: $_" 91 | } 92 | } 93 | 94 | 95 | if ($PSCmdlet.ParameterSetName -eq 'BulkDismiss') { 96 | try { 97 | # Set the alert's state by its id 98 | 99 | $body = @{ 100 | #comment = $comment 101 | filters = @{ 102 | id = @{ 103 | eq = @() 104 | } 105 | } 106 | } 107 | 108 | $idcount = $BulkDismiss.count 109 | $i = 0 110 | do { 111 | $BulkDismiss | select -first 100 -skip $i | foreach {$body.filters.id.eq += $_} 112 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/alerts/dismiss_bulk/" -Body $body -Method Post 113 | $i += 100 114 | $body.filters.id.eq = @() 115 | } 116 | until ($i -ge $idcount) 117 | } 118 | catch { 119 | throw $_ 120 | } 121 | } 122 | 123 | if ($PSCmdlet.ParameterSetName -eq 'BulkReopen') { 124 | try { 125 | # Set the alert's state by its id 126 | 127 | $body = @{ 128 | #comment = $comment 129 | filters = @{ 130 | id = @{ 131 | eq = @() 132 | } 133 | } 134 | } 135 | 136 | $idcount = ($BulkReopen | measure-object).count 137 | $i = 0 138 | do { 139 | $BulkReopen | select -first 100 -skip $i | foreach {$body.filters.id.eq += $_} 140 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/alerts/reopen/" -Body $body -Method Post 141 | $i += 100 142 | $body.filters.id.eq = @() 143 | } 144 | until ($i -ge $idcount) 145 | } 146 | catch { 147 | throw $_ 148 | } 149 | } 150 | 151 | if ($MarkAs) { 152 | $Action = $MarkAs.ToLower() # Convert -MarkAs to lower case, as expected by the CAS API 153 | try { 154 | # Set the alert's state by its id 155 | $response = Invoke-MCASRestMethod -Credential $Credential -Path "/api/v1/alerts/$Identity/$Action/" -Method Post 156 | } 157 | catch { 158 | throw "Error calling MCAS API. The exception was: $_" 159 | } 160 | } 161 | 162 | if (!$Quiet) { 163 | $Success 164 | } 165 | } 166 | } -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | MICROSOFT SOFTWARE LICENSE TERMS 2 | 3 | MICROSOFT CLOUD APP SECURITY POWERSHELL MODULE 4 | 5 | These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. 6 | 7 | BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. 8 | 9 | ----------------START OF LICENSE-------------------------------- 10 | 11 | The MIT License (MIT) 12 | Copyright (c) Microsoft Corporation 13 | 14 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 15 | 16 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 19 | 20 | -------------END OF LICENSE---------------------------------------- 21 | 22 | -------------------------------------------------------------------------------- /MCAS.psd1: -------------------------------------------------------------------------------- 1 | # 2 | # Module manifest for module 'MCAS' 3 | # 4 | # Generated by: Microsoft (Jared Poeppelman, Mike Kassis) 5 | # 6 | # Generated on: 11/30/2017 7 | # 8 | 9 | @{ 10 | 11 | # Script module or binary module file associated with this manifest. 12 | RootModule = 'MCAS.psm1' 13 | 14 | # Version number of this module. 15 | ModuleVersion = '3.3.8' 16 | 17 | # Supported PSEditions 18 | # CompatiblePSEditions = @() 19 | 20 | # ID used to uniquely identify this module 21 | GUID = '12f3a402-48e8-4a58-926f-061ca000d627' 22 | 23 | # Author of this module 24 | Author = 'Microsoft Corporation' 25 | 26 | # Company or vendor of this module 27 | CompanyName = 'Microsoft' 28 | 29 | # Copyright statement for this module 30 | Copyright = '(c) 2018 Jared Poeppelman & Mike Kassis. All rights reserved.' 31 | 32 | # Description of the functionality provided by this module 33 | Description = 'Powershell module for Microsoft Cloud App Security (MCAS)' 34 | 35 | # Minimum version of the Windows PowerShell engine required by this module 36 | PowerShellVersion = '5.1' 37 | 38 | # Name of the Windows PowerShell host required by this module 39 | # PowerShellHostName = '' 40 | 41 | # Minimum version of the Windows PowerShell host required by this module 42 | # PowerShellHostVersion = '' 43 | 44 | # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 45 | # DotNetFrameworkVersion = '' 46 | 47 | # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 48 | # CLRVersion = '' 49 | 50 | # Processor architecture (None, X86, Amd64) required by this module 51 | # ProcessorArchitecture = '' 52 | 53 | # Modules that must be imported into the global environment prior to importing this module 54 | # RequiredModules = @() 55 | 56 | # Assemblies that must be loaded prior to importing this module 57 | # RequiredAssemblies = @() 58 | 59 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 60 | # ScriptsToProcess = @() 61 | 62 | # Type files (.ps1xml) to be loaded when importing this module 63 | # TypesToProcess = @() 64 | 65 | # Format files (.ps1xml) to be loaded when importing this module 66 | # FormatsToProcess = @() 67 | 68 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 69 | # NestedModules = @() 70 | 71 | # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. 72 | FunctionsToExport = @( 73 | 'Add-MCASAdminAccess', 74 | 'ConvertFrom-MCASTimestamp', 75 | 'Export-MCASBlockScript', 76 | 'Export-MCASCredential', 77 | 'Get-MCASAccount', 78 | 'Get-MCASActivity', 79 | 'Get-MCASActivityType', 80 | 'Get-MCASAdminAccess', 81 | 'Get-MCASAlert', 82 | 'Get-MCASAppId', 83 | 'Get-MCASAppInfo', 84 | 'Get-MCASAppPermission', 85 | 'Get-MCASConfiguration', 86 | 'Get-MCASCredential', 87 | 'Get-MCASDiscoveredApp', 88 | 'Get-MCASDiscoveredAppTag', 89 | 'Get-MCASDiscoveryDataSource', 90 | 'Get-MCASDiscoverySampleLog', 91 | 'Get-MCASFile', 92 | 'Get-MCASGovernanceAction', 93 | 'Get-MCASIPTag', 94 | 'Get-MCASLogCollector', 95 | 'Get-MCASPolicy', 96 | 'Get-MCASPortalSettings', 97 | 'Get-MCASSiemAgent', 98 | 'Get-MCASStream', 99 | 'Get-MCASSubnetCollection', 100 | 'Get-MCASUserGroup', 101 | 'Import-MCASCredential', 102 | 'Install-MCASSiemAgent', 103 | 'New-MCASDiscoveryDataSource', 104 | 'New-MCASSiemAgentToken', 105 | 'New-MCASSubnetCollection', 106 | 'Remove-MCASAdminAccess', 107 | 'Remove-MCASDiscoveryDataSource', 108 | 'Remove-MCASSubnetCollection', 109 | 'Send-MCASDiscoveryLog', 110 | 'Set-MCASAlert' 111 | ) 112 | 113 | 114 | # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. 115 | CmdletsToExport = '*' 116 | 117 | # Variables to export from this module 118 | VariablesToExport = '*' 119 | 120 | # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. 121 | AliasesToExport = '*' 122 | 123 | # DSC resources to export from this module 124 | # DscResourcesToExport = @() 125 | 126 | # List of all modules packaged with this module 127 | # ModuleList = @() 128 | 129 | # List of all files packaged with this module 130 | # FileList = @() 131 | 132 | # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. 133 | PrivateData = @{ 134 | 135 | PSData = @{ 136 | 137 | # Tags applied to this module. These help with module discovery in online galleries. 138 | # Tags = @() 139 | 140 | # A URL to the license for this module. 141 | LicenseUri = 'https://github.com/powershellshock/MCAS-Powershell/blob/master/LICENSE.txt' 142 | 143 | # A URL to the main website for this project. 144 | ProjectUri = 'https://github.com/powershellshock/MCAS-Powershell' 145 | 146 | # A URL to an icon representing this module. 147 | # IconUri = '' 148 | 149 | # ReleaseNotes of this module 150 | # ReleaseNotes = '' 151 | 152 | } # End of PSData hashtable 153 | 154 | } # End of PrivateData hashtable 155 | 156 | # HelpInfo URI of this module 157 | # HelpInfoURI = '' 158 | 159 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 160 | # DefaultCommandPrefix = '' 161 | 162 | } 163 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | This project has adopted the [Microsoft Open Source Code of Conduct](http://microsoft.github.io/codeofconduct). For more information see the [Code of Conduct FAQ](http://microsoft.github.io/codeofconduct/faq.md) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 3 | 4 | 5 | 6 | # MCAS Powershell Module [Unofficial] 7 | 8 | Welcome to the Unofficial Microsoft Cloud App Security PowerShell module! 9 | 10 | This module is a collection of easy-to-use cmdlets and functions designed to make it easy to interface with the Microsoft Cloud App Security product. 11 | 12 | Why is it unofficial, you ask? Even though this module was designed by Microsoft employees, it is NOT a formal part of the MCAS product and you will not be able to get support through standard Microsoft channels. That said, if you have problems or questions, please open an issue here on this Github repo. The authors will be more than happy to help. 13 | 14 | 15 | ## Prerequisites 16 | 17 | To get value from this module you must... 18 | 19 | ``` 20 | ...have PowerShell v5+ (comes standard on Windows 10) 21 | ...be licensed for Microsoft Cloud App Security 22 | ...have permissions within MCAS to generate API tokens 23 | ``` 24 | 25 | ## Getting Started 26 | 27 | To get started with the module, open your PowerShell terminal as an administrator and install the module from the PSGallery by running this simple command: 28 | ``` 29 | Install-Module MCAS 30 | ``` 31 | If this is your first time installing a module, you will get prompted to install the Nuget Package Provider. Nuget is the Package/Module manager used by the PSGallery repository. 32 | 33 | Once the module is installed, we recommend reading the wiki which will walk you through generating your API token, running your first commands, and explaining the steps to creating a stored credential file for easy scripting. 34 | 35 | 36 | ## Contributing 37 | 38 | Apologies, we are not currently opening up this project for contribution outside of our existing team. This may change in the future if there is enough interest. 39 | 40 | ## Versioning 41 | 42 | We use the [SemVer](http://semver.org/) scheme for versioning. 43 | 44 | ## Authors 45 | 46 | * **Mike Kassis** - *Co-Lead Dev* - [Github](https://github.com/Javanite), [LinkedIn](https://www.linkedin.com/in/mrkassis) 47 | * **Jared Poeppelman** - *Co-Lead Dev* - [Github](https://github.com/powershellshock), [LinkedIn](https://www.linkedin.com/in/jaredpoeppelman/) 48 | * **Allie Edwards** - *Dev* - [Github](https://github.com/allie-edwards), [LinkedIn](/) 49 | * **Anisha Gupta** - *Test design* - [LinkedIn](https://linkedin.com) 50 | 51 | See also the list of [contributors](https://github.com/Microsoft/MCAS/graphs/contributors) who participated in this project. 52 | 53 | ## License 54 | 55 | This project has adopted the [Microsoft Open Source Code of Conduct](http://microsoft.github.io/codeofconduct). For more information see the [Code of Conduct FAQ](http://microsoft.github.io/codeofconduct/faq.md) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 56 | 57 | ## Acknowledgments 58 | 59 | * Microsoft C+Ai CxE Security engineering team for testing. 60 | * All the customers who have provided great feedback. 61 | * Niv & Team for providing such a robust API and building such an awesome product! 62 | * Security Global Black Belt (GBB) team and Cybersecurity Solutions Group (CSG) 63 | 64 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /docs/Add-MCASAdminAccess.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-MCASAdminAccess 9 | 10 | ## SYNOPSIS 11 | Adds administrators to the MCAS portal. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Add-MCASAdminAccess [-Credential ] [-Username] [-PermissionType] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Add-MCASAdminAccess grants existing user accounts the MCAS full admin or read-only admin role within MCAS. 22 | 23 | ## EXAMPLES 24 | 25 | ### EXAMPLE 1 26 | ``` 27 | Add-MCASAdminAccess -Username 'alice@contoso.com' -PermissionType FULL_ACCESS 28 | ``` 29 | 30 | ### EXAMPLE 2 31 | ``` 32 | Add-MCASAdminAccess 'bob@contoso.com' READ_ONLY 33 | ``` 34 | 35 | WARNING: READ_ONLY acces includes the ability to manage MCAS alerts. 36 | 37 | ## PARAMETERS 38 | 39 | ### -Credential 40 | Specifies the credential object containing tenant as username (e.g. 41 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 42 | 43 | ```yaml 44 | Type: PSCredential 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: False 49 | Position: Named 50 | Default value: $CASCredential 51 | Accept pipeline input: False 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -Username 56 | {{Fill Username Description}} 57 | 58 | ```yaml 59 | Type: String 60 | Parameter Sets: (All) 61 | Aliases: 62 | 63 | Required: True 64 | Position: 1 65 | Default value: None 66 | Accept pipeline input: True (ByPropertyName, ByValue) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -PermissionType 71 | {{Fill PermissionType Description}} 72 | 73 | ```yaml 74 | Type: permission_type 75 | Parameter Sets: (All) 76 | Aliases: 77 | Accepted values: READ_ONLY, FULL_ACCESS 78 | 79 | Required: True 80 | Position: 2 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### CommonParameters 87 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 88 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 89 | 90 | ## INPUTS 91 | 92 | ## OUTPUTS 93 | 94 | ## NOTES 95 | 96 | ## RELATED LINKS 97 | -------------------------------------------------------------------------------- /docs/ConvertFrom-MCASTimestamp.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # ConvertFrom-MCASTimestamp 9 | 10 | ## SYNOPSIS 11 | Converts an MCAS timestamp (13-digit integer or 10-digit integer) to a native date/time value of type \[datetime\]. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | ConvertFrom-MCASTimestamp [-Timestamp] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | ConvertFrom-MCASTimestamp returns a System.DateTime value representing the time (localized to the Powershell session's timezone) for a timestamp value from MCAS. 21 | 22 | ## EXAMPLES 23 | 24 | ### EXAMPLE 1 25 | ``` 26 | ConvertFrom-MCASTimestamp 1520272590839 27 | ``` 28 | 29 | Monday, March 5, 2018 12:56:30 PM 30 | 31 | ### EXAMPLE 2 32 | ``` 33 | Get-MCASActivity -ResultSetSize 5 | ForEach-Object {ConvertFrom-MCASTimestamp $_.timestamp} 34 | ``` 35 | 36 | Monday, March 5, 2018 12:56:30 PM 37 | Monday, March 5, 2018 12:50:28 PM 38 | Monday, March 5, 2018 12:49:34 PM 39 | Monday, March 5, 2018 12:45:36 PM 40 | Monday, March 5, 2018 12:45:23 PM 41 | 42 | ## PARAMETERS 43 | 44 | ### -Timestamp 45 | {{Fill Timestamp Description}} 46 | 47 | ```yaml 48 | Type: Object 49 | Parameter Sets: (All) 50 | Aliases: 51 | 52 | Required: True 53 | Position: 1 54 | Default value: None 55 | Accept pipeline input: True (ByValue) 56 | Accept wildcard characters: False 57 | ``` 58 | 59 | ### CommonParameters 60 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 61 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 62 | 63 | ## INPUTS 64 | 65 | ## OUTPUTS 66 | 67 | ### System.DateTime 68 | 69 | ## NOTES 70 | 71 | ## RELATED LINKS 72 | -------------------------------------------------------------------------------- /docs/Dependencies.vsdx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MCAS/9c92478a82212697be324742bc10d61e8d9aed82/docs/Dependencies.vsdx -------------------------------------------------------------------------------- /docs/Export-MCASBlockScript.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Export-MCASBlockScript 9 | 10 | ## SYNOPSIS 11 | Exports a proxy or firewall block script for the unsanctioned apps in your Cloud App Security tenant. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Export-MCASBlockScript [-Credential ] [-DeviceType] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Exports a block script, in the specified firewall or proxy device type format, for the unsanctioned apps. 21 | 22 | 'Export-MCASBlockScript -DeviceType \' returns the text to be used in a Websense block script. 23 | Methods available are only those available to custom objects by default. 24 | 25 | ## EXAMPLES 26 | 27 | ### EXAMPLE 1 28 | ``` 29 | Export-MCASBlockScript -DeviceType WEBSENSE 30 | ``` 31 | 32 | dest_host=lawyerstravel.com action=deny 33 | dest_host=wellsfargo.com action=deny 34 | dest_host=usbank.com action=deny 35 | dest_host=care2.com action=deny 36 | dest_host=careerbuilder.com action=deny 37 | dest_host=abcnews.go.com action=deny 38 | dest_host=accuweather.com action=deny 39 | dest_host=zoovy.com action=deny 40 | dest_host=cars.com action=deny 41 | 42 | This pulls back string to be used as a block script in Websense format. 43 | 44 | ### EXAMPLE 2 45 | ``` 46 | Export-MCASBlockScript -DeviceType BLUECOAT_PROXYSG 47 | ``` 48 | 49 | url.domain=lawyerstravel.com deny 50 | url.domain=wellsfargo.com deny 51 | url.domain=usbank.com deny 52 | url.domain=care2.com deny 53 | url.domain=careerbuilder.com deny 54 | url.domain=abcnews.go.com deny 55 | url.domain=accuweather.com deny 56 | url.domain=zoovy.com deny 57 | url.domain=cars.com deny 58 | 59 | This pulls back string to be used as a block script in BlueCoat format. 60 | 61 | ### EXAMPLE 3 62 | ``` 63 | Export-MCASBlockScript -DeviceType WEBSENSE | Set-Content MyWebsenseBlockScript.txt -Encoding UTF8 64 | ``` 65 | 66 | This pulls back a Websense block script in text string format and creates a new UTF-8 encoded text file out of it. 67 | 68 | ## PARAMETERS 69 | 70 | ### -Credential 71 | Specifies the credential object containing tenant as username (e.g. 72 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 73 | 74 | ```yaml 75 | Type: PSCredential 76 | Parameter Sets: (All) 77 | Aliases: 78 | 79 | Required: False 80 | Position: Named 81 | Default value: $CASCredential 82 | Accept pipeline input: False 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -DeviceType 87 | Specifies the device type to use for the format of the block script. 88 | Possible Values: BLUECOAT_PROXYSG,CISCO_ASA,FORTINET_FORTIGATE,PALO_ALTO,JUNIPER_SRX,WEBSENSE,ZSCALER 89 | 90 | ```yaml 91 | Type: device_type 92 | Parameter Sets: (All) 93 | Aliases: Appliance 94 | Accepted values: BARRACUDA, BLUECOAT, CHECKPOINT, CISCO_ASA, CISCO_IRONPORT_PROXY, FORTIGATE, PALO_ALTO, SQUID, ZSCALER, MCAFEE_SWG, CISCO_SCAN_SAFE, JUNIPER_SRX, SOPHOS_SG, WEBSENSE_V7_5, WEBSENSE_SIEM_CEF, MACHINE_ZONE_MERAKI, SQUID_NATIVE, CISCO_FWSM, MICROSOFT_ISA_W3C, SONICWALL_SYSLOG, SOPHOS_CYBEROAM, CLAVISTER, JUNIPER_SSG, ZSCALER_QRADAR, JUNIPER_SRX_SD, JUNIPER_SRX_WELF, CISCO_ASA_FIREPOWER, GENERIC_CEF, GENERIC_LEEF, GENERIC_W3C, I_FILTER, CHECKPOINT_XML, CHECKPOINT_SMART_VIEW_TRACKER, BARRACUDA_NEXT_GEN_FW, BARRACUDA_NEXT_GEN_FW_WEBLOG 95 | 96 | Required: True 97 | Position: 1 98 | Default value: None 99 | Accept pipeline input: False 100 | Accept wildcard characters: False 101 | ``` 102 | 103 | ### CommonParameters 104 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 105 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 106 | 107 | ## INPUTS 108 | 109 | ## OUTPUTS 110 | 111 | ## NOTES 112 | 113 | ## RELATED LINKS 114 | -------------------------------------------------------------------------------- /docs/Get-MCASAccount.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASAccount 9 | 10 | ## SYNOPSIS 11 | Gets user account information from your Cloud App Security tenant. 12 | 13 | ## SYNTAX 14 | 15 | ### Fetch 16 | ``` 17 | Get-MCASAccount [-Identity] [-Credential ] [] 18 | ``` 19 | 20 | ### List 21 | ``` 22 | Get-MCASAccount [-Credential ] [-SortBy ] [-SortDirection ] 23 | [-ResultSetSize ] [-Skip ] [-External] [-Internal] [-UserName ] [-AppId ] 24 | [-AppName ] [-AppIdNot ] [-AppNameNot ] [-UserDomain ] 25 | [] 26 | ``` 27 | 28 | ## DESCRIPTION 29 | Gets user account information from your Cloud App Security tenant and requires a credential be provided. 30 | 31 | Without parameters, Get-MCASAccount gets 100 account records and associated properties. 32 | You can specify a particular account GUID to fetch a single account's information or you can pull a list of accounts based on the provided filters. 33 | 34 | Get-MCASAccount returns a single custom PS Object or multiple PS Objects with all of the account properties. 35 | Methods available are only those available to custom objects by default. 36 | 37 | ## EXAMPLES 38 | 39 | ### EXAMPLE 1 40 | ``` 41 | Get-MCASAccount -ResultSetSize 1 42 | ``` 43 | 44 | username : alice@contoso.com 45 | consolidatedTags : {} 46 | userDomain : contoso.com 47 | serviceData : @{20595=} 48 | lastSeen : 2016-05-13T20:23:47.210000Z 49 | _tid : 17000616 50 | services : {20595} 51 | _id : 572caf4588011e452ec18ef0 52 | firstSeen : 2016-05-06T14:50:44.762000Z 53 | external : False 54 | Identity : 572caf4588011e452ec18ef0 55 | 56 | This pulls back a single user record and is part of the 'List' parameter set. 57 | 58 | ### EXAMPLE 2 59 | ``` 60 | (Get-MCASAccount -UserDomain contoso.com).count 61 | ``` 62 | 63 | 2 64 | 65 | This pulls back all accounts from the specified domain and returns a count of the returned objects. 66 | 67 | ### EXAMPLE 3 68 | ``` 69 | Get-MCASAccount -Affiliation External | select @{N='Unique Domains'; E={$_.userDomain}} -Unique 70 | ``` 71 | 72 | Unique Domains 73 | -------------- 74 | gmail.com 75 | outlook.com 76 | yahoo.com 77 | 78 | This pulls back all accounts flagged as external to the domain and displays only unique records in a new property called 'Unique Domains'. 79 | 80 | ### EXAMPLE 4 81 | ``` 82 | (Get-MCASAccount -ServiceNames 'Microsoft Cloud App Security').serviceData.20595 83 | ``` 84 | 85 | email lastLogin lastSeen 86 | ----- --------- -------- 87 | admin@mod.onmicrosoft.com 2016-06-13T21:17:40.821000Z 2016-06-13T21:17:40.821000Z 88 | 89 | This queries for any Cloud App Security accounts and displays the serviceData table containing the email, last login, and last seen properties. 90 | 20595 is the Service ID for Cloud App Security. 91 | 92 | ## PARAMETERS 93 | 94 | ### -Identity 95 | Fetches an account object by its unique identifier. 96 | 97 | ```yaml 98 | Type: String 99 | Parameter Sets: Fetch 100 | Aliases: _id 101 | 102 | Required: True 103 | Position: 1 104 | Default value: None 105 | Accept pipeline input: True (ByPropertyName, ByValue) 106 | Accept wildcard characters: False 107 | ``` 108 | 109 | ### -Credential 110 | Specifies the credential object containing tenant as username (e.g. 111 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 112 | 113 | ```yaml 114 | Type: PSCredential 115 | Parameter Sets: (All) 116 | Aliases: 117 | 118 | Required: False 119 | Position: Named 120 | Default value: $CASCredential 121 | Accept pipeline input: False 122 | Accept wildcard characters: False 123 | ``` 124 | 125 | ### -SortBy 126 | Specifies the property by which to sort the results. 127 | Possible Values: 'UserName','LastSeen'. 128 | 129 | ```yaml 130 | Type: String 131 | Parameter Sets: List 132 | Aliases: 133 | 134 | Required: False 135 | Position: Named 136 | Default value: None 137 | Accept pipeline input: False 138 | Accept wildcard characters: False 139 | ``` 140 | 141 | ### -SortDirection 142 | Specifies the direction in which to sort the results. 143 | Possible Values: 'Ascending','Descending'. 144 | 145 | ```yaml 146 | Type: String 147 | Parameter Sets: List 148 | Aliases: 149 | 150 | Required: False 151 | Position: Named 152 | Default value: None 153 | Accept pipeline input: False 154 | Accept wildcard characters: False 155 | ``` 156 | 157 | ### -ResultSetSize 158 | Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 159 | 160 | ```yaml 161 | Type: Int32 162 | Parameter Sets: List 163 | Aliases: 164 | 165 | Required: False 166 | Position: Named 167 | Default value: 100 168 | Accept pipeline input: False 169 | Accept wildcard characters: False 170 | ``` 171 | 172 | ### -Skip 173 | Specifies the number of records, from the beginning of the result set, to skip. 174 | 175 | ```yaml 176 | Type: Int32 177 | Parameter Sets: List 178 | Aliases: 179 | 180 | Required: False 181 | Position: Named 182 | Default value: 0 183 | Accept pipeline input: False 184 | Accept wildcard characters: False 185 | ``` 186 | 187 | ### -External 188 | Limits the results to external users 189 | 190 | ```yaml 191 | Type: SwitchParameter 192 | Parameter Sets: List 193 | Aliases: 194 | 195 | Required: False 196 | Position: Named 197 | Default value: False 198 | Accept pipeline input: False 199 | Accept wildcard characters: False 200 | ``` 201 | 202 | ### -Internal 203 | Limits the results to internal users 204 | 205 | ```yaml 206 | Type: SwitchParameter 207 | Parameter Sets: List 208 | Aliases: 209 | 210 | Required: False 211 | Position: Named 212 | Default value: False 213 | Accept pipeline input: False 214 | Accept wildcard characters: False 215 | ``` 216 | 217 | ### -UserName 218 | Limits the results to items related to the specified user names, such as 'alice@contoso.com','bob@contoso.com'. 219 | 220 | ```yaml 221 | Type: String[] 222 | Parameter Sets: List 223 | Aliases: 224 | 225 | Required: False 226 | Position: Named 227 | Default value: None 228 | Accept pipeline input: False 229 | Accept wildcard characters: False 230 | ``` 231 | 232 | ### -AppId 233 | Limits the results to items related to the specified service IDs, such as 11161,11770 (for Office 365 and Google Apps, respectively). 234 | 235 | ```yaml 236 | Type: Int32[] 237 | Parameter Sets: List 238 | Aliases: Service, Services 239 | 240 | Required: False 241 | Position: Named 242 | Default value: None 243 | Accept pipeline input: False 244 | Accept wildcard characters: False 245 | ``` 246 | 247 | ### -AppName 248 | Limits the results to items related to the specified service names, such as 'Office_365' and 'Google_Apps'. 249 | 250 | ```yaml 251 | Type: mcas_app[] 252 | Parameter Sets: List 253 | Aliases: ServiceName, ServiceNames 254 | Accepted values: Box, Okta, Salesforce, Office_365, Microsoft_Yammer, Amazon_Web_Services, Dropbox, Google_Apps, ServiceNow, Microsoft_OneDrive_for_Business, Microsoft_Cloud_App_Security, Microsoft_Sharepoint_Online, Microsoft_Exchange_Online, Microsoft_Skype_for_Business, Microsoft_Power_BI, Microsoft_Teams 255 | 256 | Required: False 257 | Position: Named 258 | Default value: None 259 | Accept pipeline input: False 260 | Accept wildcard characters: False 261 | ``` 262 | 263 | ### -AppIdNot 264 | Limits the results to items not related to the specified service ids, such as 11161,11770 (for Office 365 and Google Apps, respectively). 265 | 266 | ```yaml 267 | Type: Int32[] 268 | Parameter Sets: List 269 | Aliases: ServiceNot, ServicesNot 270 | 271 | Required: False 272 | Position: Named 273 | Default value: None 274 | Accept pipeline input: False 275 | Accept wildcard characters: False 276 | ``` 277 | 278 | ### -AppNameNot 279 | Limits the results to items not related to the specified service names, such as 'Office_365' and 'Google_Apps'. 280 | 281 | ```yaml 282 | Type: mcas_app[] 283 | Parameter Sets: List 284 | Aliases: ServiceNameNot, ServiceNamesNot 285 | Accepted values: Box, Okta, Salesforce, Office_365, Microsoft_Yammer, Amazon_Web_Services, Dropbox, Google_Apps, ServiceNow, Microsoft_OneDrive_for_Business, Microsoft_Cloud_App_Security, Microsoft_Sharepoint_Online, Microsoft_Exchange_Online, Microsoft_Skype_for_Business, Microsoft_Power_BI, Microsoft_Teams 286 | 287 | Required: False 288 | Position: Named 289 | Default value: None 290 | Accept pipeline input: False 291 | Accept wildcard characters: False 292 | ``` 293 | 294 | ### -UserDomain 295 | Limits the results to items found in the specified user domains, such as 'contoso.com'. 296 | 297 | ```yaml 298 | Type: String[] 299 | Parameter Sets: List 300 | Aliases: 301 | 302 | Required: False 303 | Position: Named 304 | Default value: None 305 | Accept pipeline input: False 306 | Accept wildcard characters: False 307 | ``` 308 | 309 | ### CommonParameters 310 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 311 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 312 | 313 | ## INPUTS 314 | 315 | ## OUTPUTS 316 | 317 | ## NOTES 318 | 319 | ## RELATED LINKS 320 | -------------------------------------------------------------------------------- /docs/Get-MCASAdminAccess.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASAdminAccess 9 | 10 | ## SYNOPSIS 11 | Lists the administrators that have been granted access to the MCAS portal via an MCAS role. 12 | (Does not include admins with Azure AD admin roles, like Global Admin.) 13 | 14 | ## SYNTAX 15 | 16 | ``` 17 | Get-MCASAdminAccess [[-Credential] ] [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Get-MCASAdminAccess list existing user accounts with MCAS admin rights and the permission type they have within MCAS. 22 | 23 | ## EXAMPLES 24 | 25 | ### EXAMPLE 1 26 | ``` 27 | Get-MCASAdminAccess 28 | ``` 29 | 30 | ### EXAMPLE 2 31 | ``` 32 | Get-MCASAdminAccess 'bob@contoso.com' READ_ONLY 33 | ``` 34 | 35 | username permission_type 36 | -------- --------------- 37 | alice@contoso.com FULL_ACCESS 38 | bob@contoso.com READ_ONLY 39 | 40 | ## PARAMETERS 41 | 42 | ### -Credential 43 | Specifies the credential object containing tenant as username (e.g. 44 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 45 | 46 | ```yaml 47 | Type: PSCredential 48 | Parameter Sets: (All) 49 | Aliases: 50 | 51 | Required: False 52 | Position: 1 53 | Default value: $CASCredential 54 | Accept pipeline input: False 55 | Accept wildcard characters: False 56 | ``` 57 | 58 | ### CommonParameters 59 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 60 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 61 | 62 | ## INPUTS 63 | 64 | ## OUTPUTS 65 | 66 | ## NOTES 67 | 68 | ## RELATED LINKS 69 | -------------------------------------------------------------------------------- /docs/Get-MCASAppId.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASAppId 9 | 10 | ## SYNOPSIS 11 | Returns an application's id (integer) given its name. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASAppId [-AppName] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Get-MCASAppId gets the unique identifier integer value that represents an app in MCAS. 21 | 22 | ## EXAMPLES 23 | 24 | ### EXAMPLE 1 25 | ``` 26 | Get-MCASAppId -AppName Microsoft_Cloud_App_Security 27 | ``` 28 | 29 | 20595 30 | 31 | ## PARAMETERS 32 | 33 | ### -AppName 34 | Specifies the app for which to retrieve the integer id value. 35 | 36 | ```yaml 37 | Type: mcas_app 38 | Parameter Sets: (All) 39 | Aliases: 40 | Accepted values: Box, Okta, Salesforce, Office_365, Microsoft_Yammer, Amazon_Web_Services, Dropbox, Google_Apps, ServiceNow, Microsoft_OneDrive_for_Business, Microsoft_Cloud_App_Security, Microsoft_Sharepoint_Online, Microsoft_Exchange_Online, Microsoft_Skype_for_Business, Microsoft_Power_BI, Microsoft_Teams 41 | 42 | Required: True 43 | Position: 1 44 | Default value: None 45 | Accept pipeline input: True (ByValue) 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ### CommonParameters 50 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 51 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 52 | 53 | ## INPUTS 54 | 55 | ## OUTPUTS 56 | 57 | ## NOTES 58 | 59 | ## RELATED LINKS 60 | -------------------------------------------------------------------------------- /docs/Get-MCASAppInfo.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASAppInfo 9 | 10 | ## SYNOPSIS 11 | Gets all General, Security, and Compliance info for a provided app ID. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASAppInfo [-Credential ] [-AppId] [-ResultSetSize ] [-Skip ] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | By passing in an App Id, the user can retrive information about those apps straight from the SaaS DB. 22 | This information is returned in an object format that can be formatted for the user's needs. 23 | 24 | ## EXAMPLES 25 | 26 | ### EXAMPLE 1 27 | ``` 28 | Get-MCASAppInfo -AppId 11114 | select name, category 29 | ``` 30 | 31 | name category 32 | ---- -------- 33 | Salesforce SAASDB_CATEGORY_CRM 34 | 35 | ### EXAMPLE 2 36 | ``` 37 | Get-MCASAppInfo -AppId 18394 | select name, @{N='Compliance';E={"{0:N0}" -f $_.revised_score.compliance}}, @{N='Security';E={"{0:N0}" -f $_.revised_score.security}}, @{N='Provider';E={"{0:N0}" -f $_.revised_score.provider}}, @{N='Total';E={"{0:N0}" -f $_.revised_score.total}} | ft 38 | ``` 39 | 40 | name Compliance Security Provider Total 41 | ---- ---------- -------- -------- ----- 42 | Blue Coat 4 8 6 6 43 | 44 | This example creates a table with just the app name and high level scores. 45 | 46 | ## PARAMETERS 47 | 48 | ### -Credential 49 | Specifies the credential object containing tenant as username (e.g. 50 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 51 | 52 | ```yaml 53 | Type: PSCredential 54 | Parameter Sets: (All) 55 | Aliases: 56 | 57 | Required: False 58 | Position: Named 59 | Default value: $CASCredential 60 | Accept pipeline input: False 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### -AppId 65 | Limits the results to items related to the specified service IDs, such as 11161,11770 (for Office 365 and Google Apps, respectively). 66 | 67 | ```yaml 68 | Type: Int32[] 69 | Parameter Sets: (All) 70 | Aliases: Service, Services 71 | 72 | Required: True 73 | Position: 1 74 | Default value: None 75 | Accept pipeline input: True (ByPropertyName, ByValue) 76 | Accept wildcard characters: False 77 | ``` 78 | 79 | ### -ResultSetSize 80 | Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 81 | 82 | ```yaml 83 | Type: Int32 84 | Parameter Sets: (All) 85 | Aliases: 86 | 87 | Required: False 88 | Position: Named 89 | Default value: 100 90 | Accept pipeline input: False 91 | Accept wildcard characters: False 92 | ``` 93 | 94 | ### -Skip 95 | Specifies the number of records, from the beginning of the result set, to skip. 96 | 97 | ```yaml 98 | Type: Int32 99 | Parameter Sets: (All) 100 | Aliases: 101 | 102 | Required: False 103 | Position: Named 104 | Default value: 0 105 | Accept pipeline input: False 106 | Accept wildcard characters: False 107 | ``` 108 | 109 | ### CommonParameters 110 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 111 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 112 | 113 | ## INPUTS 114 | 115 | ## OUTPUTS 116 | 117 | ## NOTES 118 | 119 | ## RELATED LINKS 120 | -------------------------------------------------------------------------------- /docs/Get-MCASAppPermission.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASAppPermission 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASAppPermission [[-Credential] ] [[-ResultSetSize] ] [[-Skip] ] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | {{Fill in the Description}} 22 | 23 | ## EXAMPLES 24 | 25 | ### Example 1 26 | ```powershell 27 | PS C:\> {{ Add example code here }} 28 | ``` 29 | 30 | {{ Add example description here }} 31 | 32 | ## PARAMETERS 33 | 34 | ### -Credential 35 | {{Fill Credential Description}} 36 | 37 | ```yaml 38 | Type: PSCredential 39 | Parameter Sets: (All) 40 | Aliases: 41 | 42 | Required: False 43 | Position: 0 44 | Default value: None 45 | Accept pipeline input: False 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ### -ResultSetSize 50 | {{Fill ResultSetSize Description}} 51 | 52 | ```yaml 53 | Type: Int32 54 | Parameter Sets: (All) 55 | Aliases: 56 | 57 | Required: False 58 | Position: 1 59 | Default value: None 60 | Accept pipeline input: False 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### -Skip 65 | {{Fill Skip Description}} 66 | 67 | ```yaml 68 | Type: Int32 69 | Parameter Sets: (All) 70 | Aliases: 71 | 72 | Required: False 73 | Position: 2 74 | Default value: None 75 | Accept pipeline input: False 76 | Accept wildcard characters: False 77 | ``` 78 | 79 | ### CommonParameters 80 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 81 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 82 | 83 | ## INPUTS 84 | 85 | ### None 86 | 87 | 88 | ## OUTPUTS 89 | 90 | ### System.Object 91 | 92 | ## NOTES 93 | 94 | ## RELATED LINKS 95 | -------------------------------------------------------------------------------- /docs/Get-MCASConfiguration.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASConfiguration 9 | 10 | ## SYNOPSIS 11 | Retrieves MCAS configuration settings. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASConfiguration [-Credential ] [[-Settings] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Get-MCASConfiguration lists the settings, of the specified type, of the MCAS tenant. 21 | 22 | ## EXAMPLES 23 | 24 | ### EXAMPLE 1 25 | ``` 26 | Get-MCASConfiguration 27 | ``` 28 | 29 | environmentName : Contoso 30 | omsWorkspaces : 31 | quarantineSite : 32 | ssoNewSPEntityId : https://contoso.portal.cloudappsecurity.com/saml/consumer 33 | ssoSPEntityId : https://contoso.portal.cloudappsecurity.com/saml/consumer 34 | emailMaskPolicyOptions : @{FULL_CONTENT=CONSOLE_GENERAL_SETTINGS_EMAIL_MASK_POLICIES_NAME_FULL_CONTENT; 35 | MASKED_SUBJECT=CONSOLE_GENERAL_SETTINGS_EMAIL_MASK_POLICIES_NAME_MASKED_SUBJECT; 36 | ONLY_ID=CONSOLE_GENERAL_SETTINGS_EMAIL_MASK_POLICIES_NAME_ONLY_ID} 37 | ssoEntityId : 38 | ssoCertificate : 39 | ssoHasMetadata : True 40 | ssoEnabled : False 41 | allowAzIP : True 42 | ssoSignInPageUrl : 43 | canChangeAllowAzIP : True 44 | quarantineUserNotification : This file was quarantined because it might conflict with your organization's security and 45 | compliance policies. 46 | Contact your IT administrator for more information. 47 | ssoSignOutPageUrl : 48 | languageData : @{tenantLanguage=default; availableLanguages=System.Object\[\]} 49 | discoveryMasterTimeZone : Etc/GMT 50 | ssoOldSPEntityId : https://us.portal.cloudappsecurity.com/saml/consumer?tenant_id=26034820 51 | ssoByDomain : True 52 | ignoreExternalAzIP : False 53 | ssoLockdown : False 54 | ssoSPLogoutId : https://contoso.portal.cloudappsecurity.com/saml/logout 55 | ssoSignAssertion : False 56 | showAllowAzIP : True 57 | emailMaskPolicy : MASKED_SUBJECT 58 | orgDisplayName : Contoso 59 | domains : {contoso.onmicrosoft.com} 60 | showSuffixDisclaimer : True 61 | logoFilePath : 62 | 63 | ### EXAMPLE 2 64 | ``` 65 | Get-MCASConfiguration -Settings Mail 66 | ``` 67 | 68 | fromDisplayName replyTo from htmlTemplate 69 | --------------- ------- ---- ------------ 70 | ContosoSecurity security@contoso.com 71 | 72 | ## PARAMETERS 73 | 74 | ### -Credential 75 | Specifies the credential object containing tenant as username (e.g. 76 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 77 | 78 | ```yaml 79 | Type: PSCredential 80 | Parameter Sets: (All) 81 | Aliases: 82 | 83 | Required: False 84 | Position: Named 85 | Default value: $CASCredential 86 | Accept pipeline input: False 87 | Accept wildcard characters: False 88 | ``` 89 | 90 | ### -Settings 91 | Specifies which setting types to list. 92 | Possible Values: 'General'(default),'Mail','ScoreMetrics','SnapshotReports','ContinuousReports','AppTags','UserEnrichment','Anonymization','InfoProtection','ManagedDevices' 93 | 94 | ```yaml 95 | Type: String 96 | Parameter Sets: (All) 97 | Aliases: 98 | 99 | Required: False 100 | Position: 1 101 | Default value: General 102 | Accept pipeline input: False 103 | Accept wildcard characters: False 104 | ``` 105 | 106 | ### CommonParameters 107 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 108 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 109 | 110 | ## INPUTS 111 | 112 | ## OUTPUTS 113 | 114 | ## NOTES 115 | 116 | ## RELATED LINKS 117 | -------------------------------------------------------------------------------- /docs/Get-MCASCredential.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASCredential 9 | 10 | ## SYNOPSIS 11 | Gets a credential to be used by other Cloud App Security module cmdlets. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASCredential [[-TenantUri] ] [-PassThru] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Get-MCASCredential imports a set of credentials into your session (or, optionally, a variable) to be used by other Cloud App Security module cmdlets. 21 | 22 | When using Get-MCASCredential you will need to provide your Cloud App Security tenant URL as well as an OAuth Token that must be created manually in the console. 23 | 24 | Get-MCASCredential takes the tenant URL and OAuth token and stores them in a special global session variable called $CASCredential and converts the OAuth token to a 64-bit secure string while in memory. 25 | 26 | All CAS Module cmdlets reference that special global variable to pass requests to your Cloud App Security tenant. 27 | 28 | See the examples section for ways to automate setting your CAS credentials for the session. 29 | 30 | ## EXAMPLES 31 | 32 | ### EXAMPLE 1 33 | ``` 34 | Get-MCASCredential 35 | ``` 36 | 37 | This prompts the user to enter both their tenant URL as well as their OAuth token. 38 | 39 | Username = Tenant URL without https:// (Example: contoso.portal.cloudappsecurity.com) 40 | Password = Tenant OAuth Token (Example: 432c1750f80d66a1cf2849afb6b10a7fcdf6738f5f554e32c9915fb006bd799a) 41 | 42 | PS C:\\\> $CASCredential 43 | 44 | To verify your credentials are set in the current session, run the above command. 45 | 46 | UserName Password 47 | -------- -------- 48 | contoso.portal.cloudappsecurity.com System.Security.SecureString 49 | 50 | ### EXAMPLE 2 51 | ``` 52 | Get-MCASCredential -PassThru | Export-CliXml C:\Users\Alice\MyCASCred.credential -Force 53 | ``` 54 | 55 | By specifying the -PassThru switch parameter, this will put the $CASCredential into the pipeline which can be exported to a .credential file that will store the tenant URL and encrypted version of the token in a file. 56 | 57 | We can use this newly created .credential file to automate setting our CAS credentials in the session by adding an import command to our profile. 58 | 59 | PS C:\\\> notepad $profile 60 | 61 | The above command will open our PowerShell profile, which is a set of commands that will run when we start a new session. 62 | By default it is empty. 63 | 64 | $CASCredential = Import-Clixml "C:\Users\Alice\MyCASCred.credential" 65 | 66 | By adding the above line to our profile and save, the next time we open a new PowerShell session, the credential file will automatically be imported into the $CASCredential which allows us to use other CAS cmdlets without running Get-MCASCredential at the start of the session. 67 | 68 | ## PARAMETERS 69 | 70 | ### -TenantUri 71 | Specifies the portal URL of your CAS tenant, for example 'contoso.portal.cloudappsecurity.com'. 72 | 73 | ```yaml 74 | Type: String 75 | Parameter Sets: (All) 76 | Aliases: 77 | 78 | Required: False 79 | Position: 1 80 | Default value: None 81 | Accept pipeline input: False 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### -PassThru 86 | Specifies that the credential should be returned into the pipeline for further processing. 87 | 88 | ```yaml 89 | Type: SwitchParameter 90 | Parameter Sets: (All) 91 | Aliases: 92 | 93 | Required: False 94 | Position: Named 95 | Default value: False 96 | Accept pipeline input: False 97 | Accept wildcard characters: False 98 | ``` 99 | 100 | ### CommonParameters 101 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 102 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 103 | 104 | ## INPUTS 105 | 106 | ## OUTPUTS 107 | 108 | ### System.Management.Automation.PSCredential 109 | 110 | ## NOTES 111 | 112 | ## RELATED LINKS 113 | -------------------------------------------------------------------------------- /docs/Get-MCASDiscoveredApp.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASDiscoveredApp 9 | 10 | ## SYNOPSIS 11 | Gets a list of discovered apps based on uploaded log files. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASDiscoveredApp [-Credential ] [-SortBy ] [-SortDirection ] 17 | [-ResultSetSize ] [-Skip ] [-Category ] [-ScoreRange ] 18 | [[-StreamId] ] [-TimeFrame ] [] 19 | ``` 20 | 21 | ## DESCRIPTION 22 | This function retrives traffic and usage information about discovered apps. 23 | 24 | ## EXAMPLES 25 | 26 | ### EXAMPLE 1 27 | ``` 28 | Get-MCASDiscoveredApp -StreamId $streamid | select name -First 5 29 | ``` 30 | 31 | name 32 | ---- 33 | 1ShoppingCart 34 | ABC News 35 | ACTIVE 36 | AIM 37 | AT&T 38 | 39 | Retrieves the first 5 app names sorted alphabetically. 40 | 41 | ### EXAMPLE 2 42 | ``` 43 | Get-MCASDiscoveredApp -StreamId $streamid -Category SECURITY | select name,@{N='Total (MB)';E={"{0:N2}" -f ($_.trafficTotalBytes/1MB)}} 44 | ``` 45 | 46 | name Total (MB) 47 | ---- ---------- 48 | Blue Coat 19.12 49 | Globalscape 0.00 50 | McAfee Control Console 1.28 51 | Symantec 0.20 52 | Websense 0.06 53 | 54 | In this example we pull back only discovered apps in the security category and display a table of names and Total traffic which we format to 2 decimal places and divide the totalTrafficBytes property by 1MB to show the traffic in MB. 55 | 56 | ## PARAMETERS 57 | 58 | ### -Credential 59 | Specifies the credential object containing tenant as username (e.g. 60 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 61 | 62 | ```yaml 63 | Type: PSCredential 64 | Parameter Sets: (All) 65 | Aliases: 66 | 67 | Required: False 68 | Position: Named 69 | Default value: $CASCredential 70 | Accept pipeline input: False 71 | Accept wildcard characters: False 72 | ``` 73 | 74 | ### -SortBy 75 | Specifies the property by which to sort the results. 76 | Set to 'Name' by default. 77 | Possible Values: 'UserName','LastSeen'. 78 | 79 | ```yaml 80 | Type: String 81 | Parameter Sets: (All) 82 | Aliases: 83 | 84 | Required: False 85 | Position: Named 86 | Default value: Name 87 | Accept pipeline input: False 88 | Accept wildcard characters: False 89 | ``` 90 | 91 | ### -SortDirection 92 | Specifies the direction in which to sort the results. 93 | Set to 'Ascending' by default. 94 | Possible Values: 'Ascending','Descending'. 95 | 96 | ```yaml 97 | Type: String 98 | Parameter Sets: (All) 99 | Aliases: 100 | 101 | Required: False 102 | Position: Named 103 | Default value: Ascending 104 | Accept pipeline input: False 105 | Accept wildcard characters: False 106 | ``` 107 | 108 | ### -ResultSetSize 109 | Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 110 | Set to 100 by default. 111 | 112 | ```yaml 113 | Type: Int32 114 | Parameter Sets: (All) 115 | Aliases: 116 | 117 | Required: False 118 | Position: Named 119 | Default value: 100 120 | Accept pipeline input: False 121 | Accept wildcard characters: False 122 | ``` 123 | 124 | ### -Skip 125 | Specifies the number of records, from the beginning of the result set, to skip. 126 | Set to 0 by default. 127 | 128 | ```yaml 129 | Type: Int32 130 | Parameter Sets: (All) 131 | Aliases: 132 | 133 | Required: False 134 | Position: Named 135 | Default value: 0 136 | Accept pipeline input: False 137 | Accept wildcard characters: False 138 | ``` 139 | 140 | ### -Category 141 | Limits results by category type. 142 | A preset list of categories are included. 143 | \[app_category\[\]\]$Category, # I dont think an array will work here, so i am commmenting this out for now 144 | 145 | ```yaml 146 | Type: app_category 147 | Parameter Sets: (All) 148 | Aliases: 149 | Accepted values: ACCOUNTING_AND_FINANCE, ADVERTISING, BUSINESS_MANAGEMENT, CLOUD_STORAGE, CODE_HOSTING, COLLABORATION, COMMUNICATIONS, CONTENT_MANAGEMENT, CONTENT_SHARING, CRM, CUSTOMER_SUPPORT, DATA_ANALYTICS, DEVELOPMENT_TOOLS, ECOMMERCE, EDUCATION, FORUMS, HEALTH, HOSTING_SERVICES, HUMAN_RESOURCE_MANAGEMENT, IT_SERVICES, MARKETING, MEDIA, NEWS_AND_ENTERTAINMENT, ONLINE_MEETINGS, OPERATIONS_MANAGEMENT, PRODUCT_DESIGN, PRODUCTIVITY, PROJECT_MANAGEMENT, PROPERTY_MANAGEMENT, SALES, SECURITY, SOCIAL_NETWORK, SUPLLY_CHAIN_AND_LOGISTICS, TRANSPORTATION_AND_TRAVEL, VENDOR_MANAGEMENT_SYSTEM, WEB_ANALYTICS, WEBMAIL, WEBSITE_MONITORING 150 | 151 | Required: False 152 | Position: Named 153 | Default value: None 154 | Accept pipeline input: False 155 | Accept wildcard characters: False 156 | ``` 157 | 158 | ### -ScoreRange 159 | Limits the results by risk score range, for example '3-9'. 160 | Set to '1-10' by default. 161 | 162 | ```yaml 163 | Type: String 164 | Parameter Sets: (All) 165 | Aliases: 166 | 167 | Required: False 168 | Position: Named 169 | Default value: 1-10 170 | Accept pipeline input: False 171 | Accept wildcard characters: False 172 | ``` 173 | 174 | ### -StreamId 175 | Limits the results by stream ID, for example '577d49d72b1c51a0762c61b0'. 176 | The stream ID can be found in the URL bar of the console when looking at the Discovery dashboard. 177 | 178 | ```yaml 179 | Type: String 180 | Parameter Sets: (All) 181 | Aliases: 182 | 183 | Required: False 184 | Position: 1 185 | Default value: None 186 | Accept pipeline input: False 187 | Accept wildcard characters: False 188 | ``` 189 | 190 | ### -TimeFrame 191 | Limits the results by time frame in days. 192 | Set to 90 days by default. 193 | (Options: 7, 30, or 90) 194 | 195 | ```yaml 196 | Type: Int32 197 | Parameter Sets: (All) 198 | Aliases: 199 | 200 | Required: False 201 | Position: Named 202 | Default value: 90 203 | Accept pipeline input: False 204 | Accept wildcard characters: False 205 | ``` 206 | 207 | ### CommonParameters 208 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 209 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 210 | 211 | ## INPUTS 212 | 213 | ## OUTPUTS 214 | 215 | ## NOTES 216 | 217 | ## RELATED LINKS 218 | -------------------------------------------------------------------------------- /docs/Get-MCASDiscoveryDataSource.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASDiscoveryDataSource 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASDiscoveryDataSource [[-Credential] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{Fill in the Description}} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Credential 34 | {{Fill Credential Description}} 35 | 36 | ```yaml 37 | Type: PSCredential 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### CommonParameters 49 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 50 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 51 | 52 | ## INPUTS 53 | 54 | ### None 55 | 56 | 57 | ## OUTPUTS 58 | 59 | ### System.Object 60 | 61 | ## NOTES 62 | 63 | ## RELATED LINKS 64 | -------------------------------------------------------------------------------- /docs/Get-MCASDiscoverySampleLog.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASDiscoverySampleLog 9 | 10 | ## SYNOPSIS 11 | Retrieves one or more sample discovery logs in a specified . 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASDiscoverySampleLog [-DeviceType] [-Quiet] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Get-MCASDiscoverySampleLog gets the sample log files that are available for the specified device type. 21 | 22 | ## EXAMPLES 23 | 24 | ### EXAMPLE 1 25 | ``` 26 | Get-MCASDiscoverySampleLog 27 | ``` 28 | 29 | C:\\\>Get-MCASDiscoverySampleLog -DeviceType CHECKPOINT 30 | 31 | C:\Users\alice\check-point_demo_log\check-point-2_demo_log.log 32 | C:\Users\alice\check-point_demo_log\check-point_demo_log.log 33 | 34 | ## PARAMETERS 35 | 36 | ### -DeviceType 37 | Specifies which device type for which a sample log file should be downloaded 38 | 39 | ```yaml 40 | Type: device_type 41 | Parameter Sets: (All) 42 | Aliases: 43 | Accepted values: BARRACUDA, BLUECOAT, CHECKPOINT, CISCO_ASA, CISCO_IRONPORT_PROXY, FORTIGATE, PALO_ALTO, SQUID, ZSCALER, MCAFEE_SWG, CISCO_SCAN_SAFE, JUNIPER_SRX, SOPHOS_SG, WEBSENSE_V7_5, WEBSENSE_SIEM_CEF, MACHINE_ZONE_MERAKI, SQUID_NATIVE, CISCO_FWSM, MICROSOFT_ISA_W3C, SONICWALL_SYSLOG, SOPHOS_CYBEROAM, CLAVISTER, JUNIPER_SSG, ZSCALER_QRADAR, JUNIPER_SRX_SD, JUNIPER_SRX_WELF, CISCO_ASA_FIREPOWER, GENERIC_CEF, GENERIC_LEEF, GENERIC_W3C, I_FILTER, CHECKPOINT_XML, CHECKPOINT_SMART_VIEW_TRACKER, BARRACUDA_NEXT_GEN_FW, BARRACUDA_NEXT_GEN_FW_WEBLOG 44 | 45 | Required: True 46 | Position: 1 47 | Default value: None 48 | Accept pipeline input: True (ByValue) 49 | Accept wildcard characters: False 50 | ``` 51 | 52 | ### -Quiet 53 | Specifies to not output the file names 54 | 55 | ```yaml 56 | Type: SwitchParameter 57 | Parameter Sets: (All) 58 | Aliases: 59 | 60 | Required: False 61 | Position: Named 62 | Default value: False 63 | Accept pipeline input: False 64 | Accept wildcard characters: False 65 | ``` 66 | 67 | ### CommonParameters 68 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 69 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 70 | 71 | ## INPUTS 72 | 73 | ## OUTPUTS 74 | 75 | ## NOTES 76 | 77 | ## RELATED LINKS 78 | -------------------------------------------------------------------------------- /docs/Get-MCASGovernanceAction.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASGovernanceAction 9 | 10 | ## SYNOPSIS 11 | Get-MCASGovernanceLog retrives governance log entries. 12 | 13 | ## SYNTAX 14 | 15 | ### Fetch 16 | ``` 17 | Get-MCASGovernanceAction [-Identity] [-Credential ] [] 18 | ``` 19 | 20 | ### List 21 | ``` 22 | Get-MCASGovernanceAction [-Credential ] [-SortBy ] [-SortDirection ] 23 | [-ResultSetSize ] [-Skip ] [-AppId ] [-AppName ] [-AppIdNot ] 24 | [-AppNameNot ] [-Action ] [-Status ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | The MCAS governance log contains entries for when the product performs an action such as parsing log files or quarantining files. 29 | This function retrives those entries. 30 | 31 | ## EXAMPLES 32 | 33 | ### EXAMPLE 1 34 | ``` 35 | Get-MCASGovernanceLog -ResultSetSize 10 -Status Successful,Failed -AppName Microsoft_Cloud_App_Security | select taskname, @{N='Status';E={$_.status.isSuccess}} 36 | ``` 37 | 38 | taskName Status 39 | -------- ------ 40 | DiscoveryParseLogTask False 41 | DiscoveryAggregationsTask True 42 | DiscoveryParseLogTask True 43 | DiscoveryParseLogTask False 44 | DiscoveryParseLogTask False 45 | DiscoveryParseLogTask False 46 | DiscoveryParseLogTask False 47 | DiscoveryParseLogTask True 48 | DiscoveryParseLogTask True 49 | DiscoveryParseLogTask True 50 | 51 | This example retrives the last 10 actions for CAS that were both successful and failed and displays their task name and status. 52 | 53 | ## PARAMETERS 54 | 55 | ### -Identity 56 | Fetches an activity object by its unique identifier. 57 | \[ValidatePattern('((\d{8}_\d{5}_\[0-9a-f\]{8}-(\[0-9a-f\]{4}-){3}\[0-9a-f\]{12})|(\[A-Za-z0-9\]{20}))')\] 58 | 59 | ```yaml 60 | Type: String 61 | Parameter Sets: Fetch 62 | Aliases: _id 63 | 64 | Required: True 65 | Position: 1 66 | Default value: None 67 | Accept pipeline input: True (ByPropertyName, ByValue) 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -Credential 72 | Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 73 | 74 | ```yaml 75 | Type: PSCredential 76 | Parameter Sets: (All) 77 | Aliases: 78 | 79 | Required: False 80 | Position: Named 81 | Default value: $CASCredential 82 | Accept pipeline input: False 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -SortBy 87 | Specifies the property by which to sort the results. 88 | Possible Values: 'Date','Created'. 89 | 90 | ```yaml 91 | Type: String 92 | Parameter Sets: List 93 | Aliases: 94 | 95 | Required: False 96 | Position: Named 97 | Default value: None 98 | Accept pipeline input: False 99 | Accept wildcard characters: False 100 | ``` 101 | 102 | ### -SortDirection 103 | Specifies the direction in which to sort the results. 104 | Possible Values: 'Ascending','Descending'. 105 | 106 | ```yaml 107 | Type: String 108 | Parameter Sets: List 109 | Aliases: 110 | 111 | Required: False 112 | Position: Named 113 | Default value: None 114 | Accept pipeline input: False 115 | Accept wildcard characters: False 116 | ``` 117 | 118 | ### -ResultSetSize 119 | Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 120 | 121 | ```yaml 122 | Type: Int32 123 | Parameter Sets: List 124 | Aliases: 125 | 126 | Required: False 127 | Position: Named 128 | Default value: 100 129 | Accept pipeline input: False 130 | Accept wildcard characters: False 131 | ``` 132 | 133 | ### -Skip 134 | Specifies the number of records, from the beginning of the result set, to skip. 135 | 136 | ```yaml 137 | Type: Int32 138 | Parameter Sets: List 139 | Aliases: 140 | 141 | Required: False 142 | Position: Named 143 | Default value: 0 144 | Accept pipeline input: False 145 | Accept wildcard characters: False 146 | ``` 147 | 148 | ### -AppId 149 | Limits the results to items related to the specified service IDs, such as 11161,11770 (for Office 365 and Google Apps, respectively). 150 | 151 | ```yaml 152 | Type: Int32[] 153 | Parameter Sets: List 154 | Aliases: Service, Services 155 | 156 | Required: False 157 | Position: Named 158 | Default value: None 159 | Accept pipeline input: False 160 | Accept wildcard characters: False 161 | ``` 162 | 163 | ### -AppName 164 | Limits the results to items related to the specified service names, such as 'Office_365' and 'Google_Apps'. 165 | 166 | ```yaml 167 | Type: mcas_app[] 168 | Parameter Sets: List 169 | Aliases: ServiceName, ServiceNames 170 | Accepted values: Box, Okta, Salesforce, Office_365, Microsoft_Yammer, Amazon_Web_Services, Dropbox, Google_Apps, ServiceNow, Microsoft_OneDrive_for_Business, Microsoft_Cloud_App_Security, Microsoft_Sharepoint_Online, Microsoft_Exchange_Online, Microsoft_Skype_for_Business, Microsoft_Power_BI, Microsoft_Teams 171 | 172 | Required: False 173 | Position: Named 174 | Default value: None 175 | Accept pipeline input: False 176 | Accept wildcard characters: False 177 | ``` 178 | 179 | ### -AppIdNot 180 | Limits the results to items not related to the specified service ids, such as 11161,11770 (for Office 365 and Google Apps, respectively). 181 | 182 | ```yaml 183 | Type: Int32[] 184 | Parameter Sets: List 185 | Aliases: ServiceNot, ServicesNot 186 | 187 | Required: False 188 | Position: Named 189 | Default value: None 190 | Accept pipeline input: False 191 | Accept wildcard characters: False 192 | ``` 193 | 194 | ### -AppNameNot 195 | Limits the results to items not related to the specified service names, such as 'Office_365' and 'Google_Apps'. 196 | 197 | ```yaml 198 | Type: mcas_app[] 199 | Parameter Sets: List 200 | Aliases: ServiceNameNot, ServiceNamesNot 201 | Accepted values: Box, Okta, Salesforce, Office_365, Microsoft_Yammer, Amazon_Web_Services, Dropbox, Google_Apps, ServiceNow, Microsoft_OneDrive_for_Business, Microsoft_Cloud_App_Security, Microsoft_Sharepoint_Online, Microsoft_Exchange_Online, Microsoft_Skype_for_Business, Microsoft_Power_BI, Microsoft_Teams 202 | 203 | Required: False 204 | Position: Named 205 | Default value: None 206 | Accept pipeline input: False 207 | Accept wildcard characters: False 208 | ``` 209 | 210 | ### -Action 211 | Limits the results to events listed for the specified File ID. 212 | 213 | ```yaml 214 | Type: String[] 215 | Parameter Sets: List 216 | Aliases: 217 | 218 | Required: False 219 | Position: Named 220 | Default value: None 221 | Accept pipeline input: False 222 | Accept wildcard characters: False 223 | ``` 224 | 225 | ### -Status 226 | Limits the results to events listed for the specified IP Tags. 227 | 228 | ```yaml 229 | Type: String[] 230 | Parameter Sets: List 231 | Aliases: 232 | 233 | Required: False 234 | Position: Named 235 | Default value: None 236 | Accept pipeline input: False 237 | Accept wildcard characters: False 238 | ``` 239 | 240 | ### CommonParameters 241 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 242 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 243 | 244 | ## INPUTS 245 | 246 | ## OUTPUTS 247 | 248 | ## NOTES 249 | 250 | ## RELATED LINKS 251 | -------------------------------------------------------------------------------- /docs/Get-MCASIPTag.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASIPTag 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASIPTag [[-Credential] ] [[-ResultSetSize] ] [[-Skip] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{Fill in the Description}} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Credential 34 | {{Fill Credential Description}} 35 | 36 | ```yaml 37 | Type: PSCredential 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### -ResultSetSize 49 | {{Fill ResultSetSize Description}} 50 | 51 | ```yaml 52 | Type: Int32 53 | Parameter Sets: (All) 54 | Aliases: 55 | 56 | Required: False 57 | Position: 1 58 | Default value: None 59 | Accept pipeline input: False 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### -Skip 64 | {{Fill Skip Description}} 65 | 66 | ```yaml 67 | Type: Int32 68 | Parameter Sets: (All) 69 | Aliases: 70 | 71 | Required: False 72 | Position: 2 73 | Default value: None 74 | Accept pipeline input: False 75 | Accept wildcard characters: False 76 | ``` 77 | 78 | ### CommonParameters 79 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 80 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 81 | 82 | ## INPUTS 83 | 84 | ### None 85 | 86 | 87 | ## OUTPUTS 88 | 89 | ### System.Object 90 | 91 | ## NOTES 92 | 93 | ## RELATED LINKS 94 | -------------------------------------------------------------------------------- /docs/Get-MCASLogCollector.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASLogCollector 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASLogCollector [[-Credential] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{Fill in the Description}} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Credential 34 | {{Fill Credential Description}} 35 | 36 | ```yaml 37 | Type: PSCredential 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### CommonParameters 49 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 50 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 51 | 52 | ## INPUTS 53 | 54 | ### None 55 | 56 | 57 | ## OUTPUTS 58 | 59 | ### System.Object 60 | 61 | ## NOTES 62 | 63 | ## RELATED LINKS 64 | -------------------------------------------------------------------------------- /docs/Get-MCASPolicy.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASPolicy 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASPolicy [[-Identity] ] [-Credential ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{Fill in the Description}} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Credential 34 | {{Fill Credential Description}} 35 | 36 | ```yaml 37 | Type: PSCredential 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: Named 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### -Identity 49 | {{Fill Identity Description}} 50 | 51 | ```yaml 52 | Type: String 53 | Parameter Sets: (All) 54 | Aliases: _id 55 | 56 | Required: False 57 | Position: 0 58 | Default value: None 59 | Accept pipeline input: True (ByPropertyName, ByValue) 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### CommonParameters 64 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 65 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 66 | 67 | ## INPUTS 68 | 69 | ### System.String 70 | 71 | 72 | ## OUTPUTS 73 | 74 | ### System.Object 75 | 76 | ## NOTES 77 | 78 | ## RELATED LINKS 79 | -------------------------------------------------------------------------------- /docs/Get-MCASStream.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASStream 9 | 10 | ## SYNOPSIS 11 | Get-MCASStream retrieves a list of available discovery streams. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASStream [[-Credential] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Discovery streams are used to separate or aggregate discovery data. 21 | Stream ID's are needed when pulling discovered app data. 22 | 23 | ## EXAMPLES 24 | 25 | ### EXAMPLE 1 26 | ``` 27 | (Get-MCASStream | ?{$_.displayName -eq 'Global View'})._id 28 | ``` 29 | 30 | 57869acdb4b3d5154f095af7 31 | 32 | This example retrives the global stream ID. 33 | 34 | ## PARAMETERS 35 | 36 | ### -Credential 37 | Specifies the credential object containing tenant as username (e.g. 38 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 39 | 40 | ```yaml 41 | Type: PSCredential 42 | Parameter Sets: (All) 43 | Aliases: 44 | 45 | Required: False 46 | Position: 1 47 | Default value: $CASCredential 48 | Accept pipeline input: False 49 | Accept wildcard characters: False 50 | ``` 51 | 52 | ### CommonParameters 53 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 54 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 55 | 56 | ## INPUTS 57 | 58 | ## OUTPUTS 59 | 60 | ## NOTES 61 | 62 | ## RELATED LINKS 63 | -------------------------------------------------------------------------------- /docs/Get-MCASSubnetCollection.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASSubnetCollection 9 | 10 | ## SYNOPSIS 11 | Lists the subnet collections that are defined in MCAS for enrichment of IP address information. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASSubnetCollection [-Credential ] [-ResultSetSize ] [-Skip ] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Get-MCASSubnetCollection gets subnet collections defined in the MCAS tenant. 22 | 23 | ## EXAMPLES 24 | 25 | ### EXAMPLE 1 26 | ``` 27 | Get-MCASSubnetCollection 28 | ``` 29 | 30 | category : 1 31 | subnets : {@{originalString=10.0.0.0/8; mask=104; address=0000:0000:0000:0000:0000:ffff:0a00:0000}} 32 | name : Contoso Internal IPs 33 | tags : {} 34 | location : 35 | _tid : 26034820 36 | organization : 37 | _id : 5a9e053df82b1bb8af51c802 38 | Identity : 5a9e053df82b1bb8af51c802 39 | 40 | category : 1 41 | subnets : {@{originalString=1.1.1.1/32; mask=128; address=0000:0000:0000:0000:0000:ffff:0101:0101}, 42 | @{originalString=2.2.2.2/32; mask=128; address=0000:0000:0000:0000:0000:ffff:0202:0202}} 43 | name : Contoso Egress IPs 44 | tags : {} 45 | location : 46 | _tid : 26034820 47 | organization : 48 | _id : 5a9e04c7f82b1bb8af51c7fb 49 | Identity : 5a9e04c7f82b1bb8af51c7fb 50 | 51 | ## PARAMETERS 52 | 53 | ### -Credential 54 | Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 55 | 56 | ```yaml 57 | Type: PSCredential 58 | Parameter Sets: (All) 59 | Aliases: 60 | 61 | Required: False 62 | Position: Named 63 | Default value: $CASCredential 64 | Accept pipeline input: False 65 | Accept wildcard characters: False 66 | ``` 67 | 68 | ### -ResultSetSize 69 | Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 70 | 71 | ```yaml 72 | Type: Int32 73 | Parameter Sets: (All) 74 | Aliases: 75 | 76 | Required: False 77 | Position: Named 78 | Default value: 100 79 | Accept pipeline input: False 80 | Accept wildcard characters: False 81 | ``` 82 | 83 | ### -Skip 84 | Specifies the number of records, from the beginning of the result set, to skip. 85 | 86 | ```yaml 87 | Type: Int32 88 | Parameter Sets: (All) 89 | Aliases: 90 | 91 | Required: False 92 | Position: Named 93 | Default value: 0 94 | Accept pipeline input: False 95 | Accept wildcard characters: False 96 | ``` 97 | 98 | ### CommonParameters 99 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 100 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 101 | 102 | ## INPUTS 103 | 104 | ## OUTPUTS 105 | 106 | ## NOTES 107 | 108 | ## RELATED LINKS 109 | -------------------------------------------------------------------------------- /docs/Get-MCASUserGroup.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-MCASUserGroup 9 | 10 | ## SYNOPSIS 11 | Retrieves groups that are available for use in MCAS filters and policies. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-MCASUserGroup [[-Credential] ] [[-ResultSetSize] ] [[-Skip] ] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Get-MCASUserGroup gets groups that are available for use in MCAS filters and policies. 22 | 23 | ## EXAMPLES 24 | 25 | ### EXAMPLE 1 26 | ``` 27 | Get-MCASUserGroup 28 | ``` 29 | 30 | PS C:\\\> Get-MCASUserGroup 31 | 32 | status : 0 33 | lastUpdatedTimestamp : 1506613547015 34 | name : Office 365 administrator 35 | nameTemplate : @{parameters=; template=SAGE_ADMIN_USERS_TAGS_GENERATOR_QUERY_BASED_USER_TAG_NAME} 36 | description : Company administrators, user account administrators, helpdesk administrators, service 37 | support administrators, and billing administrators 38 | descriptionTemplate : @{template=SAGE_ADMIN_USERS_TAGS_GENERATOR_O365_DESCRIPTION} 39 | visibility : 0 40 | usersCount : 1 41 | source : @{addCondition=; removeCondition=; type=2; appId=11161} 42 | successfullyImportedBySage : True 43 | _tid : 26034820 44 | appId : 11161 45 | lastScannedBySage : 1511881457181 46 | generatorType : 0 47 | _id : 59cd1847321708f4acbe8c1f 48 | type : 2 49 | id : 59cd1847321708f4acbe8c1e 50 | target : 0 51 | 52 | ## PARAMETERS 53 | 54 | ### -Credential 55 | Specifies the credential object containing tenant as username (e.g. 56 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 57 | 58 | ```yaml 59 | Type: PSCredential 60 | Parameter Sets: (All) 61 | Aliases: 62 | 63 | Required: False 64 | Position: 1 65 | Default value: $CASCredential 66 | Accept pipeline input: False 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -ResultSetSize 71 | Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria. 72 | 73 | ```yaml 74 | Type: Int32 75 | Parameter Sets: (All) 76 | Aliases: 77 | 78 | Required: False 79 | Position: 2 80 | Default value: 100 81 | Accept pipeline input: False 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### -Skip 86 | Specifies the number of records, from the beginning of the result set, to skip. 87 | 88 | ```yaml 89 | Type: Int32 90 | Parameter Sets: (All) 91 | Aliases: 92 | 93 | Required: False 94 | Position: 3 95 | Default value: 0 96 | Accept pipeline input: False 97 | Accept wildcard characters: False 98 | ``` 99 | 100 | ### CommonParameters 101 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 102 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 103 | 104 | ## INPUTS 105 | 106 | ## OUTPUTS 107 | 108 | ## NOTES 109 | 110 | ## RELATED LINKS 111 | -------------------------------------------------------------------------------- /docs/New-MCASDiscoveryDataSource.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-MCASDiscoveryDataSource 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | New-MCASDiscoveryDataSource [[-Credential] ] [-Name] [-DeviceType] 17 | [-ReceiverType] [-AnonymizeUsers] [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | {{Fill in the Description}} 22 | 23 | ## EXAMPLES 24 | 25 | ### Example 1 26 | ```powershell 27 | PS C:\> {{ Add example code here }} 28 | ``` 29 | 30 | {{ Add example description here }} 31 | 32 | ## PARAMETERS 33 | 34 | ### -AnonymizeUsers 35 | {{Fill AnonymizeUsers Description}} 36 | 37 | ```yaml 38 | Type: SwitchParameter 39 | Parameter Sets: (All) 40 | Aliases: 41 | 42 | Required: False 43 | Position: Named 44 | Default value: None 45 | Accept pipeline input: False 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ### -Credential 50 | {{Fill Credential Description}} 51 | 52 | ```yaml 53 | Type: PSCredential 54 | Parameter Sets: (All) 55 | Aliases: 56 | 57 | Required: False 58 | Position: 0 59 | Default value: None 60 | Accept pipeline input: False 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### -DeviceType 65 | {{Fill DeviceType Description}} 66 | 67 | ```yaml 68 | Type: device_type 69 | Parameter Sets: (All) 70 | Aliases: 71 | Accepted values: BARRACUDA, BLUECOAT, CHECKPOINT, CISCO_ASA, CISCO_IRONPORT_PROXY, FORTIGATE, PALO_ALTO, SQUID, ZSCALER, MCAFEE_SWG, CISCO_SCAN_SAFE, JUNIPER_SRX, SOPHOS_SG, WEBSENSE_V7_5, WEBSENSE_SIEM_CEF, MACHINE_ZONE_MERAKI, SQUID_NATIVE, CISCO_FWSM, MICROSOFT_ISA_W3C, SONICWALL_SYSLOG, SOPHOS_CYBEROAM, CLAVISTER, JUNIPER_SSG, ZSCALER_QRADAR, JUNIPER_SRX_SD, JUNIPER_SRX_WELF, CISCO_ASA_FIREPOWER, GENERIC_CEF, GENERIC_LEEF, GENERIC_W3C, I_FILTER, CHECKPOINT_XML, CHECKPOINT_SMART_VIEW_TRACKER, BARRACUDA_NEXT_GEN_FW, BARRACUDA_NEXT_GEN_FW_WEBLOG 72 | 73 | Required: True 74 | Position: 2 75 | Default value: None 76 | Accept pipeline input: False 77 | Accept wildcard characters: False 78 | ``` 79 | 80 | ### -Name 81 | {{Fill Name Description}} 82 | 83 | ```yaml 84 | Type: String 85 | Parameter Sets: (All) 86 | Aliases: 87 | 88 | Required: True 89 | Position: 1 90 | Default value: None 91 | Accept pipeline input: False 92 | Accept wildcard characters: False 93 | ``` 94 | 95 | ### -ReceiverType 96 | {{Fill ReceiverType Description}} 97 | 98 | ```yaml 99 | Type: String 100 | Parameter Sets: (All) 101 | Aliases: 102 | Accepted values: FTP, FTPS, Syslog-UDP, Syslog-TCP, Syslog-TLS 103 | 104 | Required: True 105 | Position: 3 106 | Default value: None 107 | Accept pipeline input: False 108 | Accept wildcard characters: False 109 | ``` 110 | 111 | ### CommonParameters 112 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 113 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 114 | 115 | ## INPUTS 116 | 117 | ### None 118 | 119 | 120 | ## OUTPUTS 121 | 122 | ### System.Object 123 | 124 | ## NOTES 125 | 126 | ## RELATED LINKS 127 | -------------------------------------------------------------------------------- /docs/New-MCASSubnetCollection.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-MCASSubnetCollection 9 | 10 | ## SYNOPSIS 11 | Defines new subnet collections in MCAS for enrichment of IP address information. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | New-MCASSubnetCollection [-Credential ] [-Name] [-Category] 17 | [-Subnets] [[-Organization] ] [[-Tags] ] [-Quiet] [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | New-MCASSubnetCollection creates subnet collections in the MCAS tenant. 22 | 23 | ## EXAMPLES 24 | 25 | ### EXAMPLE 1 26 | ``` 27 | New-MCASSubnetCollection -Name 'Contoso Egress IPs' -Category Corporate -Subnets '1.1.1.1/32','2.2.2.2/32' 28 | ``` 29 | 30 | 5a9e04c7f82b1bb8af51c7fb 31 | 32 | ### EXAMPLE 2 33 | ``` 34 | New-MCASSubnetCollection -Name 'Contoso Internal IPs' -Category Corporate -Subnets '10.0.0.0/8' -Quiet 35 | ``` 36 | 37 | ## PARAMETERS 38 | 39 | ### -Credential 40 | Specifies the credential object containing tenant as username (e.g. 41 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 42 | 43 | ```yaml 44 | Type: PSCredential 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: False 49 | Position: Named 50 | Default value: $CASCredential 51 | Accept pipeline input: False 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -Name 56 | {{Fill Name Description}} 57 | 58 | ```yaml 59 | Type: String 60 | Parameter Sets: (All) 61 | Aliases: 62 | 63 | Required: True 64 | Position: 1 65 | Default value: None 66 | Accept pipeline input: True (ByValue) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -Category 71 | {{Fill Category Description}} 72 | 73 | ```yaml 74 | Type: ip_category 75 | Parameter Sets: (All) 76 | Aliases: 77 | Accepted values: None, Corporate, Administrative, Risky, VPN, Cloud_Provider, Other 78 | 79 | Required: True 80 | Position: 2 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -Subnets 87 | {{Fill Subnets Description}} 88 | 89 | ```yaml 90 | Type: String[] 91 | Parameter Sets: (All) 92 | Aliases: 93 | 94 | Required: True 95 | Position: 3 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -Organization 102 | {{Fill Organization Description}} 103 | 104 | ```yaml 105 | Type: String 106 | Parameter Sets: (All) 107 | Aliases: 108 | 109 | Required: False 110 | Position: 4 111 | Default value: None 112 | Accept pipeline input: True (ByPropertyName) 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -Tags 117 | {{Fill Tags Description}} 118 | 119 | ```yaml 120 | Type: String[] 121 | Parameter Sets: (All) 122 | Aliases: 123 | 124 | Required: False 125 | Position: 5 126 | Default value: None 127 | Accept pipeline input: True (ByPropertyName) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### -Quiet 132 | {{Fill Quiet Description}} 133 | 134 | ```yaml 135 | Type: SwitchParameter 136 | Parameter Sets: (All) 137 | Aliases: 138 | 139 | Required: False 140 | Position: Named 141 | Default value: False 142 | Accept pipeline input: False 143 | Accept wildcard characters: False 144 | ``` 145 | 146 | ### CommonParameters 147 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 148 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 149 | 150 | ## INPUTS 151 | 152 | ## OUTPUTS 153 | 154 | ## NOTES 155 | 156 | ## RELATED LINKS 157 | -------------------------------------------------------------------------------- /docs/Remove-MCASAdminAccess.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Remove-MCASAdminAccess 9 | 10 | ## SYNOPSIS 11 | Removes administrators from the MCAS portal. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Remove-MCASAdminAccess [-Credential ] [-Username] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Removce-MCASAdminAccess removes explicit MCAS admin roles from users assigned them within MCAS. 21 | 22 | ## EXAMPLES 23 | 24 | ### EXAMPLE 1 25 | ``` 26 | Remove-MCASAdminAccess -Username 'alice@contoso.com' 27 | ``` 28 | 29 | ### EXAMPLE 2 30 | ``` 31 | Remove-MCASAdminAccess 'bob@contoso.com' 32 | ``` 33 | 34 | ## PARAMETERS 35 | 36 | ### -Credential 37 | Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant. 38 | 39 | ```yaml 40 | Type: PSCredential 41 | Parameter Sets: (All) 42 | Aliases: 43 | 44 | Required: False 45 | Position: Named 46 | Default value: $CASCredential 47 | Accept pipeline input: False 48 | Accept wildcard characters: False 49 | ``` 50 | 51 | ### -Username 52 | {{Fill Username Description}} 53 | 54 | ```yaml 55 | Type: String 56 | Parameter Sets: (All) 57 | Aliases: 58 | 59 | Required: True 60 | Position: 1 61 | Default value: None 62 | Accept pipeline input: True (ByPropertyName, ByValue) 63 | Accept wildcard characters: False 64 | ``` 65 | 66 | ### CommonParameters 67 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 68 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 69 | 70 | ## INPUTS 71 | 72 | ## OUTPUTS 73 | 74 | ## NOTES 75 | 76 | ## RELATED LINKS 77 | -------------------------------------------------------------------------------- /docs/Remove-MCASDiscoveryDataSource.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Remove-MCASDiscoveryDataSource 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Remove-MCASDiscoveryDataSource [-Credential ] [-Identity] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{Fill in the Description}} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Credential 34 | {{Fill Credential Description}} 35 | 36 | ```yaml 37 | Type: PSCredential 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: Named 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### -Identity 49 | {{Fill Identity Description}} 50 | 51 | ```yaml 52 | Type: String 53 | Parameter Sets: (All) 54 | Aliases: _id 55 | 56 | Required: True 57 | Position: 0 58 | Default value: None 59 | Accept pipeline input: True (ByPropertyName, ByValue) 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### CommonParameters 64 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 65 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 66 | 67 | ## INPUTS 68 | 69 | ### System.String 70 | 71 | 72 | ## OUTPUTS 73 | 74 | ### System.Object 75 | 76 | ## NOTES 77 | 78 | ## RELATED LINKS 79 | -------------------------------------------------------------------------------- /docs/Remove-MCASSubnetCollection.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Remove-MCASSubnetCollection 9 | 10 | ## SYNOPSIS 11 | Removes a subnet collection in MCAS, as specified by its unique id 12 | 13 | ## SYNTAX 14 | 15 | ### ById 16 | ``` 17 | Remove-MCASSubnetCollection [-Credential ] [-Identity] [-Quiet] [] 18 | ``` 19 | 20 | ### ByName 21 | ``` 22 | Remove-MCASSubnetCollection [-Credential ] -Name [-Quiet] [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | Remove-MCASSubnetCollection deletes subnet collections in the MCAS tenant. 27 | 28 | ## EXAMPLES 29 | 30 | ### EXAMPLE 1 31 | ``` 32 | Remove-MCASSubnetCollection -Identity '5a9e04c7f82b1bb8af51c7fb' 33 | ``` 34 | 35 | ### EXAMPLE 2 36 | ``` 37 | Get-MCASSubnetCollection | Remove-MCASSubnetCollection 38 | ``` 39 | 40 | ## PARAMETERS 41 | 42 | ### -Credential 43 | Specifies the credential object containing tenant as username (e.g. 44 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 45 | 46 | ```yaml 47 | Type: PSCredential 48 | Parameter Sets: (All) 49 | Aliases: 50 | 51 | Required: False 52 | Position: Named 53 | Default value: $CASCredential 54 | Accept pipeline input: False 55 | Accept wildcard characters: False 56 | ``` 57 | 58 | ### -Identity 59 | {{Fill Identity Description}} 60 | 61 | ```yaml 62 | Type: String 63 | Parameter Sets: ById 64 | Aliases: _id 65 | 66 | Required: True 67 | Position: 1 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName, ByValue) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -Name 74 | {{Fill Name Description}} 75 | 76 | ```yaml 77 | Type: String 78 | Parameter Sets: ByName 79 | Aliases: 80 | 81 | Required: True 82 | Position: Named 83 | Default value: None 84 | Accept pipeline input: False 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -Quiet 89 | {{Fill Quiet Description}} 90 | 91 | ```yaml 92 | Type: SwitchParameter 93 | Parameter Sets: (All) 94 | Aliases: 95 | 96 | Required: False 97 | Position: Named 98 | Default value: False 99 | Accept pipeline input: False 100 | Accept wildcard characters: False 101 | ``` 102 | 103 | ### CommonParameters 104 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 105 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 106 | 107 | ## INPUTS 108 | 109 | ## OUTPUTS 110 | 111 | ## NOTES 112 | 113 | ## RELATED LINKS 114 | -------------------------------------------------------------------------------- /docs/Send-MCASDiscoveryLog.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Send-MCASDiscoveryLog 9 | 10 | ## SYNOPSIS 11 | Uploads a proxy/firewall log file to a Cloud App Security tenant for discovery. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Send-MCASDiscoveryLog [-Credential ] [-LogFile] [-LogType] 17 | [-DiscoveryDataSource] [-UploadAsSnapshot] [-Delete] [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Send-MCASDiscoveryLog uploads an edge device log file to be analyzed for SaaS discovery by Cloud App Security. 22 | 23 | When using Send-MCASDiscoveryLog, you must provide a log file by name/path and a log file type, which represents the source firewall or proxy device type. 24 | Also required is the name of the discovery data source with which the uploaded log should be associated; this can be created in the console. 25 | 26 | Send-MCASDiscoveryLog does not return any value 27 | 28 | ## EXAMPLES 29 | 30 | ### EXAMPLE 1 31 | ``` 32 | Send-MCASDiscoveryLog -LogFile C:\Users\Alice\MyFirewallLog.log -LogType CISCO_IRONPORT_PROXY -DiscoveryDataSource 'My CAS Discovery Data Source' 33 | ``` 34 | 35 | This uploads the MyFirewallLog.log file to CAS for discovery, indicating that it is of the CISCO_IRONPORT_PROXY log format, and associates it with the data source name called 'My CAS Discovery Data Source' 36 | 37 | ## PARAMETERS 38 | 39 | ### -Credential 40 | Specifies the credential object containing tenant as username (e.g. 41 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 42 | 43 | ```yaml 44 | Type: PSCredential 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: False 49 | Position: Named 50 | Default value: $CASCredential 51 | Accept pipeline input: False 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -LogFile 56 | The full path of the Log File to be uploaded, such as 'C:\mylogfile.log'. 57 | 58 | ```yaml 59 | Type: String 60 | Parameter Sets: (All) 61 | Aliases: FullName 62 | 63 | Required: True 64 | Position: 1 65 | Default value: None 66 | Accept pipeline input: True (ByValue) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -LogType 71 | Specifies the source device type of the log file. 72 | 73 | ```yaml 74 | Type: device_type 75 | Parameter Sets: (All) 76 | Aliases: 77 | Accepted values: BARRACUDA, BLUECOAT, CHECKPOINT, CISCO_ASA, CISCO_IRONPORT_PROXY, FORTIGATE, PALO_ALTO, SQUID, ZSCALER, MCAFEE_SWG, CISCO_SCAN_SAFE, JUNIPER_SRX, SOPHOS_SG, WEBSENSE_V7_5, WEBSENSE_SIEM_CEF, MACHINE_ZONE_MERAKI, SQUID_NATIVE, CISCO_FWSM, MICROSOFT_ISA_W3C, SONICWALL_SYSLOG, SOPHOS_CYBEROAM, CLAVISTER, JUNIPER_SSG, ZSCALER_QRADAR, JUNIPER_SRX_SD, JUNIPER_SRX_WELF, CISCO_ASA_FIREPOWER, GENERIC_CEF, GENERIC_LEEF, GENERIC_W3C, I_FILTER, CHECKPOINT_XML, CHECKPOINT_SMART_VIEW_TRACKER, BARRACUDA_NEXT_GEN_FW, BARRACUDA_NEXT_GEN_FW_WEBLOG 78 | 79 | Required: True 80 | Position: 2 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -DiscoveryDataSource 87 | Specifies the discovery data source name as reflected in your CAS console, such as 'US West Microsoft ASA'. 88 | 89 | ```yaml 90 | Type: String 91 | Parameter Sets: (All) 92 | Aliases: 93 | 94 | Required: True 95 | Position: 3 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -UploadAsSnapshot 102 | Specifies that the uploaded log file should be made into a snapshot report, in which case the value provided for -DiscoveryDataSource will become the snapshot report name. 103 | 104 | ```yaml 105 | Type: SwitchParameter 106 | Parameter Sets: (All) 107 | Aliases: 108 | 109 | Required: False 110 | Position: Named 111 | Default value: False 112 | Accept pipeline input: False 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -Delete 117 | Specifies that the uploaded log file should be deleted after the upload operation completes. 118 | 119 | ```yaml 120 | Type: SwitchParameter 121 | Parameter Sets: (All) 122 | Aliases: dts 123 | 124 | Required: False 125 | Position: Named 126 | Default value: False 127 | Accept pipeline input: False 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### CommonParameters 132 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 133 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 134 | 135 | ## INPUTS 136 | 137 | ## OUTPUTS 138 | 139 | ## NOTES 140 | 141 | ## RELATED LINKS 142 | -------------------------------------------------------------------------------- /docs/Set-MCASAlert.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: MCAS-help.xml 3 | Module Name: MCAS 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Set-MCASAlert 9 | 10 | ## SYNOPSIS 11 | Sets the status of alerts in Cloud App Security. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Set-MCASAlert [-Identity] [-Credential ] [-MarkAs ] [-Dismiss] [-Quiet] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Sets the status of alerts in Cloud App Security and requires a credential be provided. 22 | 23 | There are two parameter sets: 24 | 25 | MarkAs: Used for marking an alert as 'Read' or 'Unread'. 26 | Dismiss: Used for marking an alert as 'Dismissed'. 27 | 28 | An alert identity is always required to be specified either explicity or implicitly from the pipeline. 29 | 30 | ## EXAMPLES 31 | 32 | ### EXAMPLE 1 33 | ``` 34 | Set-MCASAlert -Identity cac1d0ec5734e596e6d785cc -MarkAs Read 35 | ``` 36 | 37 | This marks a single specified alert as 'Read'. 38 | 39 | ### EXAMPLE 2 40 | ``` 41 | Set-MCASAlert -Identity cac1d0ec5734e596e6d785cc -Dismiss 42 | ``` 43 | 44 | This will set the status of the specified alert as "Dismissed". 45 | 46 | ## PARAMETERS 47 | 48 | ### -Identity 49 | Fetches an alert object by its unique identifier. 50 | 51 | ```yaml 52 | Type: String 53 | Parameter Sets: (All) 54 | Aliases: _id 55 | 56 | Required: True 57 | Position: 1 58 | Default value: None 59 | Accept pipeline input: True (ByPropertyName, ByValue) 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### -Credential 64 | Specifies the credential object containing tenant as username (e.g. 65 | 'contoso.us.portal.cloudappsecurity.com') and the 64-character hexadecimal Oauth token as the password. 66 | 67 | ```yaml 68 | Type: PSCredential 69 | Parameter Sets: (All) 70 | Aliases: 71 | 72 | Required: False 73 | Position: Named 74 | Default value: $CASCredential 75 | Accept pipeline input: False 76 | Accept wildcard characters: False 77 | ``` 78 | 79 | ### -MarkAs 80 | Specifies how to mark the alert. 81 | Possible Values: 'Read', 'Unread'. 82 | 83 | ```yaml 84 | Type: String 85 | Parameter Sets: (All) 86 | Aliases: 87 | 88 | Required: False 89 | Position: Named 90 | Default value: None 91 | Accept pipeline input: False 92 | Accept wildcard characters: False 93 | ``` 94 | 95 | ### -Dismiss 96 | Specifies that the alert should be dismissed. 97 | 98 | ```yaml 99 | Type: SwitchParameter 100 | Parameter Sets: (All) 101 | Aliases: 102 | 103 | Required: False 104 | Position: Named 105 | Default value: False 106 | Accept pipeline input: False 107 | Accept wildcard characters: False 108 | ``` 109 | 110 | ### -Quiet 111 | {{Fill Quiet Description}} 112 | 113 | ```yaml 114 | Type: SwitchParameter 115 | Parameter Sets: (All) 116 | Aliases: 117 | 118 | Required: False 119 | Position: Named 120 | Default value: False 121 | Accept pipeline input: False 122 | Accept wildcard characters: False 123 | ``` 124 | 125 | ### CommonParameters 126 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 127 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 128 | 129 | ## INPUTS 130 | 131 | ## OUTPUTS 132 | 133 | ## NOTES 134 | 135 | ## RELATED LINKS 136 | -------------------------------------------------------------------------------- /docs/Tasks.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MCAS/9c92478a82212697be324742bc10d61e8d9aed82/docs/Tasks.xlsx --------------------------------------------------------------------------------