Automating Security workflows with Microsoft’s CASB and MS Flow
Published Jan 08 2019 06:00 AM 46.9K Views

As Cloud Security is becoming an increasingly greater concern for organizations of all sizes, the role and importance of Security Operations Centers (SOC) continues to expand. While end users leverage new cloud apps and services daily, Security professionals that keep track of security incidents remain a scarce resource. Consequently, SOC teams are looking for solutions that help automate processes where possible, to reduce the number of incidents that require their direct oversight and interaction.


Microsoft Cloud App Security now integrates with Microsoft Flow to provide centralized alert automation and orchestration of custom workflows - on your terms. It enables the use of an ecosystem of connectors in Microsoft Flow to create playbooks that work with the systems of your choice, existing processes you may already have, and enables organizations to automate the triage of alerts.


SOC teams are tasked with two functional areas - monitoring security incidents and taking action based on the available information, to uphold or restore the Security of an organization.


They are expected to implement and support technology solutions that can sustain virtually every phase of enterprise activity. But as cyberthreats continue to evolve and business units leverage an ever-increasing number of new cloud apps and services, SOC teams struggle to respond to- and recover from security incidents.


Microsoft Cloud App Security’s new integration with Microsoft Flow provides a series of powerful use cases to enable centralized alert automation and orchestration, leveraging out-of-the-box and custom workflow playbooks that work with the systems of your choice. With connectors for more than 100 3rd party solutions, such as ServiceNow, Jira and SAP, the integration could remove the need to send alerts to a SIEM or write custom code for simple workflows.


Use cases:

With these powerful services now natively integrated, we’ve created a list of scenarios based on common customer requests that can help you streamline your own processes.



1.  Routing CAS alerts to different SOC units

Large, global organizations often have dedicated SOC teams who oversee either specific departments or regions to enable them to triage more effectively.


Consequently, a key ask has been for our CASB solution to allow organizations to setup similar routing to assign the alerts to the relevant SOC teams, when new alerts are raised.


Via the native integration with Microsoft Flow, ticket routing can now be based on the type of alert, Azure AD attributes such as user location, email address, UPN and more, providing a fully flexible model to route alerts based on the setup of your SOC teams and make them work for your organization.


Figure 1 shows the distribution to the relevant SOC teams, when an alert is generated. Playbook is configured to look up the user office location in Azure AD. If it’s North America (NA), it will post a message in the NA SOC channel on Microsoft Teams. If the user’s location is identified as Asia, the playbook includes a lookup of the user’s job title, to take a custom action if the user is a VP.


Figure 1: Playbook to route CAS alerts to different SOC unitsFigure 1: Playbook to route CAS alerts to different SOC units



2.  Automatic ticket generation in Management tools like Jira or ServiceNow when a CAS alert is raised

Many organizations use ticketing systems like ServiceNow or Jira to investigate alerts generated by Cloud App Security. By using the ServiceNow connector in Flow, you can create a playbook to automatically create an incident in ServiceNow when Cloud App Security generates an alert. Incidents can be populated with alert attributes such as description, severity and user information, to help with alert investigation. Flow also has connectors for Slack and Jira to execute similar workflows in those services.


Figure 2: Playbook to create incident in ticketing systemsFigure 2: Playbook to create incident in ticketing systems



Automating response

3.  Request manager approval to execute actions (ex. Disable user account) for CAS alert

While investigating an alert, SOC analysts may sometimes require approval from a manager to execute certain actions - such as disabling the user account. By creating a playbook in Flow using Outlook and Azure AD connectors, you can automatically execute this workflow when Cloud App Security generates an alert. Based on the response, the playbook can also dismiss the alert as false positive or resolve the alert after the investigation has completed.


In the below example, a playbook is configured to post a message for the SOC team and send an email to the manager to request input on how to investigate the alert.


Figure 3: E-mail requesting manager input for alert investigationFigure 3: E-mail requesting manager input for alert investigation



4.  Request user input to investigate CAS alert

Certain alert types, such as an “Activity from infrequent country” alert may require additional input or context from the affected user, for the security operation teams to act on. In these cases, we can create a playbook to send a text or email to the user for two factor confirmation that activity in CAS indeed originated from the user.


Figure 4: Send text message to user to confirm user activityFigure 4: Send text message to user to confirm user activity



5.  Block unsanctioned apps on the firewall using CAS discovery alerts

By using Cloud App Security Discovery policies, security teams can identify apps that do not meet the guidelines established by an organization. When Cloud App Security generates a discovery alert for such an application, we can execute a playbook to automatically block that application domain on the firewall. To execute the configuration change on the firewall, we are using the HTTP connector and custom code with firewall API since some, in this case Palo Alto, don’t have a connector in Flow. If Firewall configuration changes need to be approved by the networking team, you can use the Outlook connector to get their approval prior to executing the domain block changes as part of the same Flow.


Figure 5: Flow configuration to block unsanctioned app domains on firewallFigure 5: Flow configuration to block unsanctioned app domains on firewall



With this new integration, you can now leverage Microsoft Cloud App Security as a fully integrated solution in your security operations setup to ultimately save time and optimize the use of your security resources by automating key processes.


More info and feedback

If you want to help us create more powerful workflow playbooks, provide suggestions and feedback on Flow Community site.


Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!


As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Version history
Last update:
‎Nov 02 2021 04:33 PM
Updated by: