Forum Discussion
cloud app security and SIEM agent
Hamid285to get all MCAS - Cloud App Security raw events you need the MCAS API via https://docs.microsoft.com/en-US/cloud-app-security/siem which will be ingested using remote syslog into Splunk (CEF-format).
Additionally you need the https://docs.microsoft.com/en-US/graph/overview?view=graph-rest-1.0 for the high level telemetry - the https://splunkbase.splunk.com/app/4564/.
BillTheKid, what are high availability options for setting up SIEM Agent Server? How do we make sure it is not single point of failure and can scale?
SurVir https://github.com/tianderturpijn/MCAS/tree/master/MCAS-ASC-integration describes installation with MCAS SIEM Agent via Log Analytics hosted within Azure VM
SurVir, you don't use it anymore more today (2 years later). You would integrate MDCA (previously known as MCAS) within MDE and use the https://docs.microsoft.com/en-US/microsoft-365/security/defender/streaming-api?view=o365-worldwide to get all raw-data via https://docs.microsoft.com/en-US/microsoft-365/security/defender/advanced-hunting-cloudappevents-table?view=o365-worldwide table (for MDCA raw data). Alerts are merged into https://docs.microsoft.com/en-US/microsoft-365/security/defender/advanced-hunting-alertinfo-table?view=o365-worldwide table (for MDCA alerts) (for alerts you alternatively may use https://docs.microsoft.com/en-US/graph/api/resources/alert?view=graph-rest-1.0) and Incidents would require https://docs.microsoft.com/en-US/microsoft-365/security/defender/api-list-incidents?view=o365-worldwide (for MDCA merged incidents). This gets you safe all the information and is scalable and has no point of failures when implementing correctly - forget the MCAS SIEM AGENT , this was before they went "XDR".