As Cloud Security is becoming an increasingly greater concern for organizations of all sizes, the role and importance of Security Operations Centers (SOC) continues to expand. While end users leverage new cloud apps and services daily, Security professionals that keep track of security incidents remain a scarce resource. Consequently, SOC teams are looking for solutions that help automate processes where possible, to reduce the number of incidents that require their direct oversight and interaction.


Microsoft Cloud App Security now integrates with Microsoft Flow to provide centralized alert automation and orchestration of custom workflows - on your terms. It enables the use of an ecosystem of connectors in Microsoft Flow to create playbooks that work with the systems of your choice, existing processes you may already have, and enables organizations to automate the triage of alerts.


SOC teams are tasked with two functional areas - monitoring security incidents and taking action based on the available information, to uphold or restore the Security of an organization.


They are expected to implement and support technology solutions that can sustain virtually every phase of enterprise activity. But as cyberthreats continue to evolve and business units leverage an ever-increasing number of new cloud apps and services, SOC teams struggle to respond to- and recover from security incidents.


Microsoft Cloud App Security’s new integration with Microsoft Flow provides a series of powerful use cases to enable centralized alert automation and orchestration, leveraging out-of-the-box and custom workflow playbooks that work with the systems of your choice. With connectors for more than 100 3rd party solutions, such as ServiceNow, Jira and SAP, the integration could remove the need to send alerts to a SIEM or write custom code for simple workflows.


Use cases:

With these powerful services now natively integrated, we’ve created a list of scenarios based on common customer requests that can help you streamline your own processes.



1.  Routing CAS alerts to different SOC units

Large, global organizations often have dedicated SOC teams who oversee either specific departments or regions to enable them to triage more effectively.


Consequently, a key ask has been for our CASB solution to allow organizations to setup similar routing to assign the alerts to the relevant SOC teams, when new alerts are raised.


Via the native integration with Microsoft Flow, ticket routing can now be based on the type of alert, Azure AD attributes such as user location, email address, UPN and more, providing a fully flexible model to route alerts based on the setup of your SOC teams and make them work for your organization.


Figure 1 shows the distribution to the relevant SOC teams, when an alert is generated. Playbook is configured to look up the user office location in Azure AD. If it’s North America (NA), it will post a message in the NA SOC channel on Microsoft Teams. If the user’s location is identified as Asia, the playbook includes a lookup of the user’s job title, to take a custom action if the user is a VP.


EMS1.pngFigure 1: Playbook to route CAS alerts to different SOC units



2.  Automatic ticket generation in Management tools like Jira or ServiceNow when a CAS alert is raised

Many organizations use ticketing systems like ServiceNow or Jira to investigate alerts generated by Cloud App Security. By using the ServiceNow connector in Flow, you can create a playbook to automatically create an incident in ServiceNow when Cloud App Security generates an alert. Incidents can be populated with alert attributes such as description, severity and user information, to help with alert investigation. Flow also has connectors for Slack and Jira to execute similar workflows in those services.


EMS2.pngFigure 2: Playbook to create incident in ticketing systems



Automating response

3.  Request manager approval to execute actions (ex. Disable user account) for CAS alert

While investigating an alert, SOC analysts may sometimes require approval from a manager to execute certain actions - such as disabling the user account. By creating a playbook in Flow using Outlook and Azure AD connectors, you can automatically execute this workflow when Cloud App Security generates an alert. Based on the response, the playbook can also dismiss the alert as false positive or resolve the alert after the investigation has completed.


In the below example, a playbook is configured to post a message for the SOC team and send an email to the manager to request input on how to investigate the alert.


EMS3.pngFigure 3: E-mail requesting manager input for alert investigation



4.  Request user input to investigate CAS alert

Certain alert types, such as an “Activity from infrequent country” alert may require additional input or context from the affected user, for the security operation teams to act on. In these cases, we can create a playbook to send a text or email to the user for two factor confirmation that activity in CAS indeed originated from the user.


EMS4.pngFigure 4: Send text message to user to confirm user activity



5.  Block unsanctioned apps on the firewall using CAS discovery alerts

By using Cloud App Security Discovery policies, security teams can identify apps that do not meet the guidelines established by an organization. When Cloud App Security generates a discovery alert for such an application, we can execute a playbook to automatically block that application domain on the firewall. To execute the configuration change on the firewall, we are using the HTTP connector and custom code with firewall API since some, in this case Palo Alto, don’t have a connector in Flow. If Firewall configuration changes need to be approved by the networking team, you can use the Outlook connector to get their approval prior to executing the domain block changes as part of the same Flow.


EMS5.pngFigure 5: Flow configuration to block unsanctioned app domains on firewall



With this new integration, you can now leverage Microsoft Cloud App Security as a fully integrated solution in your security operations setup to ultimately save time and optimize the use of your security resources by automating key processes.


More info and feedback

If you want to help us create more powerful workflow playbooks, provide suggestions and feedback on Flow Community site.


Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!


As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Not applicable
Nice! Is this Flow integration covered in the “free” Flow licensing or does it need a P1/P2?
New Contributor
Love it, will try it !
Senior Member


My flow is triggered and failed when going to make the ticket in JIRA with the following error. We are using JIRA Core, hope the plug-in is commutable with that. 


errors"{"customfield_10500":"Field Customer Request Type is required."}



to use Ginger
Limited mode
My flow is triggered and filled
Frequent Visitor



Great write up, good stuff!!


@Chaminda Mendis - From the error it looks like you are missing one of the required fields. We'll gladly assist troubleshooting.

Can you please open a support ticket and share an export of the flow?



Senior Member

@Niv Goldenberg  Thanks for the reply. Ill open a ticket. By the way I tried all the JIRA plugins in Flow but same error. 


Here the JSON output :

"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1... of the logic app."}},"logicAppLocation":{"defaultValue":"[resourceGroup().location]","allowedValues":["eastasia","southeastasia","centralus","eastus","eastus2","westus","northcentralus","southcentralus","northeurope","westeurope","japanwest","japaneast","brazilsouth","australiaeast","australiasoutheast","southindia","centralindia","westindia","canadacentral","canadaeast","westcentralus","westus2","[resourceGroup().location]"],"type":"String","metadata":{"description":"Location of the logic app."}},"jira_Connection_Name":{"defaultValue":"jira","type":"String","metadata":{"description":"Name of the connection."}},"cloudappsecurity_Connection_Name":{"defaultValue":"cloudappsecurity","type":"String","metadata":{"description":"Name of the connection."}}},"resources":[{"type":"Microsoft.Logic/workflows","name":"[parameters('logicAppName')]","apiVersion":"2016-06-01","location":"[parameters('logicAppLocation')]","properties":{"state":"Disabled","definition":{"$schema":"https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition....']} ","description":"@triggerBody()?['Description']"}},"path":"/issue","queries":{"projectKey":"GSD"},"authentication":"@parameters('$authentication')"}}}},"parameters":{"$connections":{"value":{"jira":{"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'jira')]","connectionId":"[resourceId('Microsoft.Web/connections', parameters('jira_Connection_Name'))]","connectionName":"[parameters('jira_Connection_Name')]"},"cloudappsecurity":{"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'cloudappsecurity')]","connectionId":"[resourceId('Microsoft.Web/connections', parameters('cloudappsecurity_Connection_Name'))]","connectionName":"[parameters('cloudappsecurity_Connection_Name')]"}}}},"runtimeConfiguration":{"collections":{"maximumItemCount":100000},"performanceProfile":{"throttles":{"mode":"Medium"}}}},"dependsOn":["[resourceId('Microsoft.Web/connections', parameters('jira_Connection_Name'))]","[resourceId('Microsoft.Web/connections', parameters('cloudappsecurity_Connection_Name'))]"]},{"type":"Microsoft.Web/connections","name":"[parameters('jira_Connection_Name')]","apiVersion":"2016-06-01","location":"[parameters('logicAppLocation')]","properties":{"api":{"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'jira')]"},"displayName":"[parameters('jira_Connection_Name')]"}},{"type":"Microsoft.Web/connections","name":"[parameters('cloudappsecurity_Connection_Name')]","apiVersion":"2016-06-01","location":"[parameters('logicAppLocation')]","properties":{"api":{"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'cloudappsecurity')]"},"displayName":"[parameters('cloudappsecurity_Connection_Name')]"}}]}

Occasional Contributor

@Niv Goldenberg I like what I'm seeing here. Question on this one (#4): "Certain alert types, such as an “Activity from infrequent country” alert may require additional input or context from the affected user, for the security operation teams to act on. In these cases, we can create a playbook to send a text or email to the user for two factor confirmation that activity in CAS indeed originated from the user."


That's an interesting choice of wording. I don't think you are enforcing a second factor authentication request of the user with the Microsoft Authentication app or something similar, for example. What you are asking for is a written confirmation that the login was valid. So if the login has occurred and the login is invalid, then the attacker has the credentials, will get the email message (as will the the valid user), and could respond directly to affirm validity. The text message route would be harder to penetrate. 

Occasional Contributor

@Niv Goldenberg I've looked in my OCAS tenant and while "Send alerts to Flow (Preview)" shows in the Alerts section of a policy, the option to tick it is greyed out. Is there a timeframe for availability in OCAS, or is this purely intended to be an MCAS play? Thanks.


@Michael Sampson The integration with Flow will be available in OCAS as well by the end of March.


Occasional Contributor

Thanks for the answer and timeframe @Niv Goldenberg. The clarification is much appreciated.