Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel
Published Dec 16 2020 09:48 AM 28.1K Views
Microsoft

Overview

 

The Microsoft Cloud App Security (MCAS) connector lets you stream alerts and Cloud Discovery logs from MCAS into Azure Sentinel. This will enable you to gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels, more details on enabling and configuring the out of the box MCAS connector (Connect data from Microsoft Cloud App Security)

 

MCAS3.PNG

 

Cloud App Security REST API (URL Structure , Token & Supported Actions)

 

The Microsoft Cloud App Security API provides programmatic access to Cloud App Security through REST API endpoints. Applications can use the API to perform read and update operations on Cloud App Security data and objects.

 

To use the Cloud App Security API, you must first obtain the API URL from your tenant. The API URL uses the following format:

 

 

 

https://<portal_url>/api/<endpoint>

 

 

 

 

To obtain the Cloud App Security portal URL for your tenant, do the following steps:

 

- In the Cloud App Security portal, click the question mark icon in the menu bar. Then, select About. 

 

MCAS1.PNG - In the Cloud App Security about screen, you can see the portal url.

 

MCAS2.PNG

 

Once you have the portal url, add the /api suffix to it to obtain your API URL. For example, if your portal's URL is https://m365x933168.eu2.portal.cloudappsecurity.com, then your API URL is https://m365x933168.eu2.portal.cloudappsecurity.com/api.

 

Cloud App Security requires an API token in the header of all API requests to the server, such as the following:

 

 

 

 

Authorization: Token <your_token_key>

 

 

 

 

 

Where <your_token_key> is your personal API token. For more information about API tokens, see Managing API tokens., here's an example of CURLing MCAS Activity log:

 

MCAS4.PNG

 

The following table describes the actions supported:

 

MCAS5.PNG

 

Where Resource represents a group of related entities, fore more details please visit MCAS Activities API

 

Implementation (MCAS Activity Connector)

 

  • Log in to the Azure tenant, http://portal.azure.com
  • Go to Azure Sentinel > Playbooks
  • Create a new Playbook and follow the below gif / step-by-step guide, the code being uploaded to github repo as well:
    • Add a “Recurrence” step and set the following field, below is an example to trigger the Playbook once a daily basis:
      • Interval: 1
      • Frequency: Day
    • Initialize a variable for the MCAS API Token value, make sure to generate MCAS API Token following this guide
      • Name: MCAS_API_Token
      • Type: String
      • Value: Token QhXXXXBSlodAV9AXXXXXXQlMcFhweXXXXXRXXh1OGkXXkXXkeX
    • Set an HTTP endpoints to Get MCAS Activity data:
    • Parse MCAS Activities data via Json:
      • Parse JSON - MCAS Activities:
        • Content: @{body('HTTP_-_MCAS_Activities_API')}
        • Schema: uploaded to github
    • Initialize an Array Variable:
      • Name: TempArrayVar
      • Type: Array
    • Append to array variable:
      • Name: TempArrayVar
      • Value: @{body('Parse_JSON_-_MCAS_Activities')}
    • Add For each control to iterate MCAS Activities parsed items:
      • Select an output from previous steps: @variables('TempArrayVar')
      • Send the data (MCAS Activity Log) to Azure Sentinel Log analytics workspace via a custom log tables:
        • JSON Request body: @{items('For_each')}
        • Custom Log Name: MCAS_Activity_Log

MCASActivitySentinel-Update.gif

 

Notes & Consideration

 

  • You can customize the parser at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel
  • You can customize the for-each step to iterate MCAS Activity log and send them to the Log Analytics workspace so eventually each activity log will be logged in a separate table's record / row
  • You can build your own detection and analytics rules / use cases,  a couple of MCAS Activities analytics rules will be ready to use at github, stay tuned
  • Couple of points to be considered while using Logic Apps:

 

Get started today!

 

We encourage you to try it now!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

9 Comments
Bronze Contributor

Azure Sentinel is becoming more and more the SIEM to be :) Thanks @Hesham Saad for the clear blog post

Brass Contributor

Do MCAS API Tokens need to be stored using Key Vault?

Microsoft

Hi @shoando - yes you can for security reasons.

Copper Contributor

Awesome stuff, although will there be a part 2 of this? Covering the "considerations" section?

Brass Contributor

Hi @Hesham Saad 

Great Blog - thanks a lot.

 

I have successful implemented the app in my test environment and built another one for the entitity endpoint.

As a next step I'd like to separate the logs to different rows but so far I'm not successful because the for each loop tells me that it needs an array not an object :(

Have you already done this successful and can give me a hint?

 

Thanks Chris

Copper Contributor

Is there a connector to ingest Workday HCM logs into Sentinel ? 

Copper Contributor

Hi @Hesham Saad 

 

Is there a connector to ingest Workday HCM logs into Sentinel ? 

Copper Contributor

Hi @Hesham Saad 

 

Is there a way to ingest  only "Workday HCM" logs from MCAS  into Sentinel ?

 

 

Thanks

Brass Contributor

Hi @Hesham Saad 

 

Does this also work for the other MCAS URIs, specifically Files?  If it does, does it overcome the 5000 item export limit that is present with the UI export of File policy matches?

Version history
Last update:
‎Nov 02 2021 06:30 PM
Updated by: