Blog Post

Microsoft Sentinel Blog
3 MIN READ

Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel

Hesham_Saad's avatar
Hesham_Saad
Icon for Microsoft rankMicrosoft
Dec 16, 2020

Overview

 

The Microsoft Cloud App Security (MCAS) connector lets you stream alerts and Cloud Discovery logs from MCAS into Azure Sentinel. This will enable you to gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels, more details on enabling and configuring the out of the box MCAS connector (Connect data from Microsoft Cloud App Security)

 

 

Cloud App Security REST API (URL Structure , Token & Supported Actions)

 

The Microsoft Cloud App Security API provides programmatic access to Cloud App Security through REST API endpoints. Applications can use the API to perform read and update operations on Cloud App Security data and objects.

 

To use the Cloud App Security API, you must first obtain the API URL from your tenant. The API URL uses the following format:

 

 

 

https://<portal_url>/api/<endpoint>

 

 

 

 

To obtain the Cloud App Security portal URL for your tenant, do the following steps:

 

- In the Cloud App Security portal, click the question mark icon in the menu bar. Then, select About. 

 

 - In the Cloud App Security about screen, you can see the portal url.

 

 

Once you have the portal url, add the /api suffix to it to obtain your API URL. For example, if your portal's URL is https://m365x933168.eu2.portal.cloudappsecurity.com, then your API URL is https://m365x933168.eu2.portal.cloudappsecurity.com/api.

 

Cloud App Security requires an API token in the header of all API requests to the server, such as the following:

 

 

 

 

Authorization: Token <your_token_key>

 

 

 

 

 

Where <your_token_key> is your personal API token. For more information about API tokens, see Managing API tokens., here's an example of CURLing MCAS Activity log:

 

 

The following table describes the actions supported:

 

 

Where Resource represents a group of related entities, fore more details please visit MCAS Activities API

 

Implementation (MCAS Activity Connector)

 

  • Log in to the Azure tenant, http://portal.azure.com
  • Go to Azure Sentinel > Playbooks
  • Create a new Playbook and follow the below gif / step-by-step guide, the code being uploaded to github repo as well:
    • Add a “Recurrence” step and set the following field, below is an example to trigger the Playbook once a daily basis:
      • Interval: 1
      • Frequency: Day
    • Initialize a variable for the MCAS API Token value, make sure to generate MCAS API Token following this guide
      • Name: MCAS_API_Token
      • Type: String
      • Value: Token QhXXXXBSlodAV9AXXXXXXQlMcFhweXXXXXRXXh1OGkXXkXXkeX
    • Set an HTTP endpoints to Get MCAS Activity data:
    • Parse MCAS Activities data via Json:
      • Parse JSON - MCAS Activities:
        • Content: @{body('HTTP_-_MCAS_Activities_API')}
        • Schema: uploaded to github
    • Initialize an Array Variable:
      • Name: TempArrayVar
      • Type: Array
    • Append to array variable:
      • Name: TempArrayVar
      • Value: @{body('Parse_JSON_-_MCAS_Activities')}
    • Add For each control to iterate MCAS Activities parsed items:
      • Select an output from previous steps: @variables('TempArrayVar')
      • Send the data (MCAS Activity Log) to Azure Sentinel Log analytics workspace via a custom log tables:
        • JSON Request body: @{items('For_each')}
        • Custom Log Name: MCAS_Activity_Log

 

Notes & Consideration

 

  • You can customize the parser at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel
  • You can customize the for-each step to iterate MCAS Activity log and send them to the Log Analytics workspace so eventually each activity log will be logged in a separate table's record / row
  • You can build your own detection and analytics rules / use cases,  a couple of MCAS Activities analytics rules will be ready to use at github, stay tuned
  • Couple of points to be considered while using Logic Apps:

 

Get started today!

 

We encourage you to try it now!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

Updated Nov 03, 2021
Version 4.0
  • shoando's avatar
    shoando
    Brass Contributor

    Do MCAS API Tokens need to be stored using Key Vault?

  • Sasuke_Ziy's avatar
    Sasuke_Ziy
    Copper Contributor

    Awesome stuff, although will there be a part 2 of this? Covering the "considerations" section?

  • Hi Hesham_Saad 

    Great Blog - thanks a lot.

     

    I have successful implemented the app in my test environment and built another one for the entitity endpoint.

    As a next step I'd like to separate the logs to different rows but so far I'm not successful because the for each loop tells me that it needs an array not an object 😞

    Have you already done this successful and can give me a hint?

     

    Thanks Chris

  • aimery21's avatar
    aimery21
    Copper Contributor

    Is there a connector to ingest Workday HCM logs into Sentinel ? 

  • Paul_Saldanha's avatar
    Paul_Saldanha
    Brass Contributor

    Hi Hesham_Saad 

     

    Does this also work for the other MCAS URIs, specifically Files?  If it does, does it overcome the 5000 item export limit that is present with the UI export of File policy matches?

Share