Back Arrow Back to All Integrations

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps

Cloud SIEM for Microsoft Defender for Cloud Apps

Click here for the most updated version of this documentation.


Microsoft Defender for Cloud Apps (formerly Cloud App Security) is a multimode cloud access security broker (CASB). It provides visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your Microsoft cloud services.


Blumira integrates with Microsoft Defender for Cloud Apps to stream Microsoft cloud security event logs and alerts to the Blumira service for threat detection and actionable response.


Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.


Free Trial

Integrating with Microsoft Cloud App Security

Before you begin

To send Microsoft Defender for Cloud Apps logs to Blumira, follow these steps:

  1. Go to https://portal.cloudappsecurity.com/ and log in.
  2. Navigate to Settings > Security Extensions.
  3. Select API Tokens.
  4. Click + to add a new token.
  5. Enter a name, such as “Blumira Sensor”.
  6. Make a note of the token and the URL for use in later steps.

Providing Defender for Cloud Apps credentials to Blumira

To collect Microsoft Defender for Cloud Apps logs on an existing sensor in the Blumira sensor UI, you must add a Cloud App Security module.

To add a module on an existing sensor and provide credentials:

  1. In Blumira, click Settings.
  2. Click Sensors.
  3. Click the sensor on which you want to add a module.
  4. On the detail page for the sensor, scroll down and click Add Module.
  5. In the Add New Module window, select the newest version of this integration’s module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
  6. Enter the credentials that you gathered in the “Before you begin” section above.
  7. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
  8. Click Install.