Functions/Get-MCASActivityType.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<#
.Synopsis
   Lists the activity types that MCAS is aware of for a given application.
.DESCRIPTION
   Get-MCASActivityType lists the activity types that MCAS consumes for the specified app. MCAS activities can be filtered by these types allowing for granular policies to watch for very specific activity.
 
.EXAMPLE
    PS C:\> Get-MCASActivityType -AppId 20595
 
    name app types
    ---- --- -----
    Accept file access request Microsoft_Cloud_App_Security {2424867}
    Add item to list Microsoft_Cloud_App_Security {2424861}
    Add parent folder to file Microsoft_Cloud_App_Security {917585}
    Add privilege Microsoft_Cloud_App_Security {2424833}
    Apply Azure Information Protection classification labels Microsoft_Cloud_App_Security {917663}
    Assign tag Microsoft_Cloud_App_Security {917596}
    Block app Microsoft_Cloud_App_Security {917622, 917668}
    Certificate upload Microsoft_Cloud_App_Security {917621}
    Change OAuth token Microsoft_Cloud_App_Security {917526}
    Change SAML certificate Microsoft_Cloud_App_Security {917528}
    Change password Microsoft_Cloud_App_Security {2424864, 917507}
    Copy item Microsoft_Cloud_App_Security {2424834}
    Create API token Microsoft_Cloud_App_Security {917513}
    Create Cloud Discovery anomaly policy Microsoft_Cloud_App_Security {917633}
    Create Cloud Discovery policy Microsoft_Cloud_App_Security {917626}
    Create IP address range Microsoft_Cloud_App_Security {917590}
    Create activity policy Microsoft_Cloud_App_Security {917549}
    Create anomaly detection policy Microsoft_Cloud_App_Security {917606}
    Create file policy Microsoft_Cloud_App_Security {917567}
    Create inline policy Microsoft_Cloud_App_Security {917573}
    Create item Microsoft_Cloud_App_Security {2424835}
    Create ownership notification Microsoft_Cloud_App_Security {917578}
    Create tag Microsoft_Cloud_App_Security {917593}
    Create user Microsoft_Cloud_App_Security {917516}
    DLP match detected Microsoft_Cloud_App_Security {2424863}
    Delete Cloud Discovery anomaly policy Microsoft_Cloud_App_Security {917635}
    Delete Cloud Discovery data Microsoft_Cloud_App_Security {917643}
    Delete Cloud Discovery policy Microsoft_Cloud_App_Security {917628}
    Delete IP address range Microsoft_Cloud_App_Security {917592}
    Delete activity policy Microsoft_Cloud_App_Security {917551}
    Delete anomaly detection policy Microsoft_Cloud_App_Security {917608}
    Delete file policy Microsoft_Cloud_App_Security {917569}
    Delete inline policy Microsoft_Cloud_App_Security {917575}
    Delete item Microsoft_Cloud_App_Security {2424836}
    Delete ownership notification Microsoft_Cloud_App_Security {917580}
    Delete report Microsoft_Cloud_App_Security {917648}
    Delete tag Microsoft_Cloud_App_Security {917595}
    Delete user Microsoft_Cloud_App_Security {917517}
    Deny file access request Microsoft_Cloud_App_Security {2424868}
    Deploy app Microsoft_Cloud_App_Security {917640, 917641, 917642}
    Disable policy Microsoft_Cloud_App_Security {917605}
    Dismiss alert Microsoft_Cloud_App_Security {917544}
    Dismiss alerts - bulk Microsoft_Cloud_App_Security {917625}
    Download file Microsoft_Cloud_App_Security {196354}
    Download item Microsoft_Cloud_App_Security {2424837}
    Edit Cloud Discovery anomaly policy Microsoft_Cloud_App_Security {917634}
    Edit Cloud Discovery policy Microsoft_Cloud_App_Security {917627}
    Edit IP address range Microsoft_Cloud_App_Security {917591}
    Edit activity policy Microsoft_Cloud_App_Security {917550}
    Edit anomaly detection policy Microsoft_Cloud_App_Security {917607}
    Edit file policy Microsoft_Cloud_App_Security {917568}
    Edit inline policy Microsoft_Cloud_App_Security {917574}
    Edit item Microsoft_Cloud_App_Security {2424838}
    Edit ownership notification Microsoft_Cloud_App_Security {917579}
    Edit permissions Microsoft_Cloud_App_Security {917657}
    Edit tag Microsoft_Cloud_App_Security {917594}
    Editors can share Microsoft_Cloud_App_Security {917572, 917577}
    Enable policy Microsoft_Cloud_App_Security {917604}
    Failed log on Microsoft_Cloud_App_Security {2424839, 917506}
    Generate report Microsoft_Cloud_App_Security {917646, 917645}
    Generate traffic log report Microsoft_Cloud_App_Security {917673}
    Grant owner permission Microsoft_Cloud_App_Security {917563}
    Grant read permission Microsoft_Cloud_App_Security {917558, 917559}
    Grant write permission Microsoft_Cloud_App_Security {917562}
    Log on Microsoft_Cloud_App_Security {196355, 2424840, 196352, 917..
    Log out Microsoft_Cloud_App_Security {1028, 917505, 2424841}
    Make file private Microsoft_Cloud_App_Security {917531, 917510}
    Mark app Microsoft_Cloud_App_Security {917666, 917667, 917603, 917602
    Modify managed domains Microsoft_Cloud_App_Security {917617}
    Move item Microsoft_Cloud_App_Security {2424842}
    Notify user on application access token Microsoft_Cloud_App_Security {917582}
    Open via public link Microsoft_Cloud_App_Security {917638}
    Override risk score Microsoft_Cloud_App_Security {917670}
    Owners can share Microsoft_Cloud_App_Security {917571, 917576}
    Print asset Microsoft_Cloud_App_Security {2424843}
    Quarantine file Microsoft_Cloud_App_Security {917649, 917536, 917619}
    Reduce public permissions Microsoft_Cloud_App_Security {917676, 917678}
    Remove Azure Information Protection classification labels Microsoft_Cloud_App_Security {917664}
    Remove direct share link Microsoft_Cloud_App_Security {917541, 917542}
    Remove external permissions Microsoft_Cloud_App_Security {917511, 917530}
    Remove file from folder Microsoft_Cloud_App_Security {917586}
    Remove permission Microsoft_Cloud_App_Security {917588}
    Remove privilege Microsoft_Cloud_App_Security {2424856}
    Remove public permissions Microsoft_Cloud_App_Security {917512, 917529}
    Remove user's collaborations Microsoft_Cloud_App_Security {917548, 917547}
    Rename item Microsoft_Cloud_App_Security {2424845}
    Require user to sign in again Microsoft_Cloud_App_Security {917665}
    Reset password Microsoft_Cloud_App_Security {2424851, 2424846, 917615, 91..
    Resolve alert Microsoft_Cloud_App_Security {917543}
    Resolve alerts - bulk Microsoft_Cloud_App_Security {917651, 917652}
    Restore file from quarantine Microsoft_Cloud_App_Security {917620, 917650}
    Restore item Microsoft_Cloud_App_Security {2424847}
    Revoke API token Microsoft_Cloud_App_Security {917514}
    Revoke admin privilege Microsoft_Cloud_App_Security {917552, 917553}
    Revoke application access token Microsoft_Cloud_App_Security {917554, 917555, 917636, 917637
    Revoke owner permission Microsoft_Cloud_App_Security {917565}
    Revoke password Microsoft_Cloud_App_Security {917535}
    Revoke read permission Microsoft_Cloud_App_Security {917560, 917561}
    Revoke user password Microsoft_Cloud_App_Security {917525}
    Revoke write permission Microsoft_Cloud_App_Security {917564}
    Run command Microsoft_Cloud_App_Security {2424848}
    Run ownership notification Microsoft_Cloud_App_Security {917581}
    SIEM agents Microsoft_Cloud_App_Security {917658, 917659, 917660, 917661
    Scan on-demand Microsoft_Cloud_App_Security {917618}
    Search document Microsoft_Cloud_App_Security {2424849}
    Set app-permission status Microsoft_Cloud_App_Security {917653, 917656, 917654, 917655
    Share item Microsoft_Cloud_App_Security {2424853}
    Single sign-on log on Microsoft_Cloud_App_Security {1024}
    Suspend user Microsoft_Cloud_App_Security {917533, 917523}
    Sync item Microsoft_Cloud_App_Security {2424854}
    Test API Microsoft_Cloud_App_Security {917584}
    Transfer document ownership Microsoft_Cloud_App_Security {917546, 917532, 917545, 917570
    Trash item Microsoft_Cloud_App_Security {2424855}
    Unassign tag Microsoft_Cloud_App_Security {917597}
    Unblock app Microsoft_Cloud_App_Security {917669, 917623}
    Unshare item Microsoft_Cloud_App_Security {2424857}
    Unspecified Microsoft_Cloud_App_Security {2424870, 2424832}
    Unsuspend user Microsoft_Cloud_App_Security {917534, 917524}
    Update Cloud Discovery service Microsoft_Cloud_App_Security {917675, 917672, 917671, 917674
    Update file sharing invitation Microsoft_Cloud_App_Security {2424858}
    Update user Microsoft_Cloud_App_Security {917519, 917518}
    Upload Cloud Discovery file Microsoft_Cloud_App_Security {917601}
    Upload file Microsoft_Cloud_App_Security {196353}
    Upload item Microsoft_Cloud_App_Security {2424859}
    View item Microsoft_Cloud_App_Security {2424860}
 
.FUNCTIONALITY
   Get-MCASActivityType is intended to display the activity types that MCAS is aware of and can filter on. Activities that are unknown to MCAS will fall under the 'Unspecified' activity type.
#>

function Get-MCASActivityType {
    [CmdletBinding()]
    param
    (
        # Specifies the CAS credential object containing the 64-character hexadecimal OAuth token used for authentication and authorization to the CAS tenant.
        [Parameter(Mandatory=$false)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]$Credential = $CASCredential,

        # Limits the results to items related to the specified service IDs, such as 11161,11770 (for Office 365 and Google Apps, respectively).
        [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)]
        [ValidateNotNullOrEmpty()]
        [ValidatePattern('^\d{5}$')]
        [Alias("Service","Services")]
        [int]$AppId,

        # Specifies the maximum number of results to retrieve when listing items matching the specified filter criteria.
        [Parameter(Mandatory=$false)]
        [ValidateRange(1,100)]
        [int]$ResultSetSize = 100,

        # Specifies the number of records, from the beginning of the result set, to skip.
        [Parameter(Mandatory=$false)]
        [ValidateScript({$_ -ge 0})]
        [int]$Skip = 0
    )
    process {

        # Get the matching alerts and handle errors
        try {
            $response = Invoke-MCASRestMethod -Credential $Credential -Path "/cas/api/audits/type/?servicesFilter=eq(i%3A$AppId%2C)&max=500&search=" -Method Get
        }
        catch {
            throw "Error calling MCAS API. The exception was: $_"
        }

        Write-Verbose "Getting just the response property named 'data'"
        $response = $response.data

        Write-Verbose "Adding the friendly name of the application to the response as a property named 'app'"
        $response = $response | Add-Member -NotePropertyName 'app' -NotePropertyValue ($AppId -as [mcas_app]) -PassThru

        Write-Verbose "Selecting properties to be returned"
        $response = $response | Select-Object -Property name,app,types,id

        $response
    }
}