Forum Discussion
Hemanth_Abbina
Jan 18, 2021Microsoft
Any plan to integrate/send MCAS activity events to Sentinel
Hi,
The current MCAS to Sentinel connector is sending only alerts and discovery logs to Sentinel. Are there any plans to include the MCAS activity logs in the integration ? (The MCAS SIEM connector...
BemmelenPatrick
Iron Contributor
Hello Hemanth_Abbina,
There currently is a workaround where you are able to configure the MCAS API as the source for collecting the Activity logs into Azure Sentinel.
Please check out this article for more information:
https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-cloud-app-security-mcas-activity-log-in-azure-sentinel/ba-p/1849806
There currently is a workaround where you are able to configure the MCAS API as the source for collecting the Activity logs into Azure Sentinel.
Please check out this article for more information:
https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-cloud-app-security-mcas-activity-log-in-azure-sentinel/ba-p/1849806
Hemanth_Abbina
Jan 19, 2021Microsoft
BemmelenPatrick Thanks.
Agree with this approach, but we have a problem. The MCAS API Token is not persistent and it's associated with the user created it. The Azure subscription we are using, is PIM enabled and all users should be activated their roles using PIM for 4 hours. In such scenarios, the API token we create will be inactive, whenever the PIM session of the user expires. So, it's not suited for scheduled/automated data collection.
- BemmelenPatrickJan 19, 2021Iron ContributorHello Hemanth,
Are you using PIM for access to MCAS or to Azure Sentinel/Logic Apps?
Because the API token is taken from MCAS this will need to be entered for the Logic Apps connection but for Logic Apps you can use managed identities:
https://docs.microsoft.com/nl-nl/azure/logic-apps/create-managed-service-identity- Hemanth_AbbinaJan 19, 2021Microsoft
BemmelenPatrick Thanks for the quick response.
I'm talking about the MCAS API token. The API token created in the MCAS portal is associated with the user created it. If the user's PIM session expires, the API token won't work.
- Christopher BrummMar 17, 2021Brass ContributorHi,
we're experiencing the same problem. I think we will use the Break Glass Account. Does anyone have a better idea?