Forum Discussion

Copper Contributor

Nov 21, 2018

Cloud App Security no longer logging events from scripts

Hi, Why would CAS stop logging events initiated by systems other than devices? We have run tests from a few different scripts today, none of which got picked up in CAS: Sending emails via Pow...

Cloud App Security

Shalini Pasupneti

Former Employee

Dec 02, 2018

Hi Chris,

Thanks for reaching out. There hasn't been any changes in Cloud App Security related to auditing & user agent. Per the below documentation, the commands you referenced are not part of audited events therefore not visible in CAS or in SCC.

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance#audited-activities

Thanks

Shalini

cstegh
Copper Contributor
Dec 18, 2018
We have a live situation where several hundred events are being missed in the same timeframe. An acct was compromised, and is being accessed from Russia using the SMTP service (i.e. from some scripted method).

CAS (which is pulling form the Azure AD audit logs), has nothing at all for that IP, and none of it is captured in the CAS (or audit) logs.

Is CAS supposed to log events from scripts, or just physical devices?
cstegh
Copper Contributor
Dec 04, 2018
Hi,
Is “Send-MailMessage” an event that is logged by Cloud App Security? We know it *used to be* because the creator of “PhishHunter” (Steve @ MSFT) used it to demonstrate how when it’s run against an acct, it creates an event that will then remediate an acct.