Forum Discussion

Hamid285's avatar
Hamid285
Copper Contributor
Nov 16, 2020

cloud app security and SIEM agent

Hello, We need to send our cloud app security alerts to our onpremise SIEM, we know that we can install a java program to setup cloud app security agent, by the way we ever used event HUB for AD azu...
Cloud App Security
SurVir's avatar
SurVir
Former Employee
May 25, 2022

BillTheKid, what are high availability options for setting up SIEM Agent Server? How do we make sure it is not single point of failure and can scale?

BillTheKid's avatar
BillTheKid
Brass Contributor
Jun 29, 2022

SurVir, you don't use it anymore more today (2 years later). You would integrate MDCA (previously known as MCAS) within MDE and use the https://docs.microsoft.com/en-US/microsoft-365/security/defender/streaming-api?view=o365-worldwide to get all raw-data via https://docs.microsoft.com/en-US/microsoft-365/security/defender/advanced-hunting-cloudappevents-table?view=o365-worldwide table (for MDCA raw data). Alerts are merged into https://docs.microsoft.com/en-US/microsoft-365/security/defender/advanced-hunting-alertinfo-table?view=o365-worldwide table (for MDCA alerts) (for alerts you alternatively may use https://docs.microsoft.com/en-US/graph/api/resources/alert?view=graph-rest-1.0) and Incidents would require https://docs.microsoft.com/en-US/microsoft-365/security/defender/api-list-incidents?view=o365-worldwide (for MDCA merged incidents). This gets you safe all the information and is scalable and has no point of failures when implementing correctly - forget the MCAS SIEM AGENT , this was before they went "XDR".