Security Identity Enterprise Mobility

Defender for Cloud Apps alerts into Teams channels

by Niklas Tinner 3 min read

Defender for Cloud Apps offers an alert page by design, providing an overview of detected ongoing or past identity anomalies. But why not use Microsoft Power Automate to catch these events and send them to Microsoft Teams, as your single information portal. This is a tutorial how to configure this solution. Please note that Defender for Cloud Apps should already be running and generating alerts.

Microsoft Teams - how the solutions looks like

You can see a Microsoft Teams channel called SecOps. Messages in here are generated automatically through Microsoft Flow, the information/alert notifications are coming from Defender for Cloud Apps.
teams-alerts-cas

Cloud app security alerts

Official docs

  1. To start, we first need to open to the Defender for Cloud Apps portal

  2. At the top right, click on settings and choose Security extensions
    cas-security-extensions-2

  3. Now add an API token, and give it a name
    cas-add-api-token

  4. Copy your individual token and the connection URL, that is displayed
    cas-api-token

Policy settings

In Defender for Cloud Apps we differentiate between:

  • Policies - are active templates that will produce alerts
  • Templates - are blueprints that can be used to create alerts

So we need to customize each policy, that should cause some sort of action. In this example Microsoft Flow. On the left pane, go for Policies under Control and click on settings of the policy you want.
cas-policy-edit

Scroll down to the Alerts section and enable the checkbox at "Send alerts to Power Automate". Here we can choose playbooks that are technically Flows.
cas-send-alert

Power automate - flow

  1. Next we are going to create our flow from the Microsoft Power Automate portal, that is accessible through portal.office.com - I would advise you to use a dedicated user for Flow tasks.
    flow-create-1

  2. Create an automated Cloud-Flow and skip the trigger
    flow-create-cloud-flow

  3. You now need to search for Defender for Cloud Apps. Currently there is only one trigger called "when an alert is generated"; which we need to select. Insert the Token and connection URL from the step before.
    flow-trigger-cas

  4. Then add an action, which is called "Post message in chat or channel"
    flow-teams-chat-channel

  5. Either publish the message in a channel of a team or in a personal chat with Flow. I am going for a channel, which I have created before.

Select a team and channel and enter some payload. In my example it constitues of some basic attributes. These are displayed in a box, which means that this is dynamic content that was originated from the trigger, in this case Defender for Cloud Apps. So every message contains the individual information of the CAS alert.

flow-cas-alert

Now after a validation, the Flow should be working. You can test it manually or re-run an event from the past.

Read more posts by this author

Niklas Tinner

The link has been copied!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.