Forum Discussion
Unable to ingest SIME Integration logs for Cloud Apps
Hi All,
We are trying to setup SIEM integration for Microsoft Defender for Cloud Apps using this https://learn.microsoft.com/en-gb/defender-cloud-apps/siem. We performed the all following steps but not able to get the logs as per mention on the official doc.
We are getting below logs which is not inline with the expected sample logs provided over https://learn.microsoft.com/en-us/defender-cloud-apps/siem:
Connecting socket to xyz.us2.portal.cloudappsecurity.com/52.184.165.82:443 with timeout 30000
"{"agentType":"MCAS_SIEM","version":"0.111.126","operationsStatus":[{"operationType":"forwardData","success":true,"messages":[],"operationId":"bgfzdefjdgl2axr5q3jlyxrlzd0xnze4ntmymzi5mdawjmxhc3rbbgvydelkpty2nmviogu5mdawmdawmdawmdawmdawma=="},{"operationType":"sleep","success":true,"messages":[]}]}"
Connection established 100.64.0.1:49261<->52.184.165.82:443
============
Connection established 100.64.0.1:63977<->52.184.165.82:443
http-outgoing-48: set socket timeout to 60000
{"agentType":"MCAS_SIEM","version":"0.111.126","operationsStatus":[{"operationType":"sleep","success":true,"messages":[]},{"operationType":"forwardData","success":true,"messages":[],"operationId":"bgfzdefjdgl2axr5q3jlyxrlzd0xnze4nzkynjmwmzgxjmxhc3rbbgvydelkpty2nzjhzme1mdawmdawmdawmdawmdawma=="}]}"
{"nextOperations":[{"type":"sleep","duration":300000},{"type":"forwardData","sourceDataUrl":"https://xyz.us2.portal.cloudappsecurity.com/api/v1/agents/siem/get_data/?lastActivityCreated=1718792915260&lastAlertId=6672b0d50000000000000000&operationId=bgfzdefjdgl2axr5q3jlyxrlzd0xnze4nzkyote1mjywjmxhc3rbbgvydelkpty2nzjimgq1mdawmdawmdawmdawmdawma==","operationId":"bgfzdefjdgl2axr5q3jlyxrlzd0xnze4nzkyote1mjywjmxhc3rbbgvydelkpty2nzjimgq1mdawmdawmdawmdawmdawma==","targetHost":"127.0.0.1","targetPort":"514","targetProtocol":"udp"}]}"
Can you please provide support, what changes we need to do to for getting the activity and alerts logs.
Thank You
- Yoann_David_Mallet
Microsoft
Hi, In general, we would recommend looking into other options to get data to your SIEM.
The graph API is usually your best bet.
If your SIEM is splunk, then we recommend to leverage the plug-in using Graph to get the data directly to your SIEM: Splunk Add-on for Microsoft Security | Splunkbase
Now if it is not an option, can you please share more details about your issue? All i see here is a time out.
Hi Yoann_David_Mallet we are looking to fetch Alerts and Activities logs for Defender for cloud apps, I guess we don't have graph API for the same, thus we were trying this integration approach https://learn.microsoft.com/en-us/defender-cloud-apps/siem
We are facing the mentioned challenge while setting this up.
