Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel
Overview
The Microsoft Cloud App Security (MCAS) connector lets you stream alerts and Cloud Discovery logs from MCAS into Azure Sentinel. This will enable you to gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels, more details on enabling and configuring the out of the box MCAS connector (Connect data from Microsoft Cloud App Security)
Cloud App Security REST API (URL Structure , Token & Supported Actions)
The Microsoft Cloud App Security API provides programmatic access to Cloud App Security through REST API endpoints. Applications can use the API to perform read and update operations on Cloud App Security data and objects.
To use the Cloud App Security API, you must first obtain the API URL from your tenant. The API URL uses the following format:
https://<portal_url>/api/<endpoint>
To obtain the Cloud App Security portal URL for your tenant, do the following steps:
- In the Cloud App Security portal, click the question mark icon in the menu bar. Then, select About.
- In the Cloud App Security about screen, you can see the portal url.
Once you have the portal url, add the /api
suffix to it to obtain your API URL. For example, if your portal's URL is https://m365x933168.eu2.portal.cloudappsecurity.com
, then your API URL is https://m365x933168.eu2.portal.cloudappsecurity.com
/api
.
Cloud App Security requires an API token in the header of all API requests to the server, such as the following:
Authorization: Token <your_token_key>
Where <your_token_key>
is your personal API token. For more information about API tokens, see Managing API tokens., here's an example of CURLing MCAS Activity log:
The following table describes the actions supported:
Where Resource represents a group of related entities, fore more details please visit MCAS Activities API
Implementation (MCAS Activity Connector)
- Log in to the Azure tenant, http://portal.azure.com
- Go to Azure Sentinel > Playbooks
- Create a new Playbook and follow the below gif / step-by-step guide, the code being uploaded to github repo as well:
- Add a “Recurrence” step and set the following field, below is an example to trigger the Playbook once a daily basis:
- Interval: 1
- Frequency: Day
- Initialize a variable for the MCAS API Token value, make sure to generate MCAS API Token following this guide
- Name: MCAS_API_Token
- Type: String
- Value: Token QhXXXXBSlodAV9AXXXXXXQlMcFhweXXXXXRXXh1OGkXXkXXkeX
- Set an HTTP endpoints to Get MCAS Activity data:
- HTTP - MCAS Activities API:
- Method: GET
- URI: https://m365x933168.eu2.portal.cloudappsecurity.com/api/v1/activities/
- Headers:
- Key: Authorization
- Value: @variables('MCAS_API_Token')
- HTTP - MCAS Activities API:
- Parse MCAS Activities data via Json:
- Parse JSON - MCAS Activities:
- Content: @{body('HTTP_-_MCAS_Activities_API')}
- Schema: uploaded to github
- Parse JSON - MCAS Activities:
- Initialize an Array Variable:
- Name: TempArrayVar
- Type: Array
- Append to array variable:
- Name: TempArrayVar
- Value: @{body('Parse_JSON_-_MCAS_Activities')}
- Add For each control to iterate MCAS Activities parsed items:
- Select an output from previous steps: @variables('TempArrayVar')
- Send the data (MCAS Activity Log) to Azure Sentinel Log analytics workspace via a custom log tables:
- JSON Request body: @{items('For_each')}
- Custom Log Name: MCAS_Activity_Log
- Add a “Recurrence” step and set the following field, below is an example to trigger the Playbook once a daily basis:
Notes & Consideration
- You can customize the parser at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel
- You can customize the for-each step to iterate MCAS Activity log and send them to the Log Analytics workspace so eventually each activity log will be logged in a separate table's record / row
- You can build your own detection and analytics rules / use cases, a couple of MCAS Activities analytics rules will be ready to use at github, stay tuned
- Couple of points to be considered while using Logic Apps:
- Cost (standard / enterprise connectors)
- Considerations & Configurations
- Non standard schema
- Rewriting rules
Get started today!
We encourage you to try it now!
You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.