Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel

Published Dec 16 2020 09:48 AM 10.3K Views



The Microsoft Cloud App Security (MCAS) connector lets you stream alerts and Cloud Discovery logs from MCAS into Azure Sentinel. This will enable you to gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels, more details on enabling and configuring the out of the box MCAS connector (Connect data from Microsoft Cloud App Security)




Cloud App Security REST API (URL Structure , Token & Supported Actions)


The Microsoft Cloud App Security API provides programmatic access to Cloud App Security through REST API endpoints. Applications can use the API to perform read and update operations on Cloud App Security data and objects.


To use the Cloud App Security API, you must first obtain the API URL from your tenant. The API URL uses the following format:









To obtain the Cloud App Security portal URL for your tenant, do the following steps:


- In the Cloud App Security portal, click the question mark icon in the menu bar. Then, select About. 


MCAS1.PNG - In the Cloud App Security about screen, you can see the portal url.




Once you have the portal url, add the /api suffix to it to obtain your API URL. For example, if your portal's URL is, then your API URL is


Cloud App Security requires an API token in the header of all API requests to the server, such as the following:





Authorization: Token <your_token_key>






Where <your_token_key> is your personal API token. For more information about API tokens, see Managing API tokens., here's an example of CURLing MCAS Activity log:




The following table describes the actions supported:




Where Resource represents a group of related entities, fore more details please visit MCAS Activities API


Implementation (MCAS Activity Connector)


  • Log in to the Azure tenant,
  • Go to Azure Sentinel > Playbooks
  • Create a new Playbook and follow the below gif / step-by-step guide, the code being uploaded to github repo as well:
    • Add a “Recurrence” step and set the following field, below is an example to trigger the Playbook once a daily basis:
      • Interval: 1
      • Frequency: Day
    • Initialize a variable for the MCAS API Token value, make sure to generate MCAS API Token following this guide
      • Name: MCAS_API_Token
      • Type: String
    • Set an HTTP endpoints to Get MCAS Activity data:
    • Parse MCAS Activities data via Json:
      • Parse JSON - MCAS Activities:
        • Content: @{body('HTTP_-_MCAS_Activities_API')}
        • Schema: uploaded to github
    • Initialize an Array Variable:
      • Name: TempArrayVar
      • Type: Array
    • Append to array variable:
      • Name: TempArrayVar
      • Value: @{body('Parse_JSON_-_MCAS_Activities')}
    • Add For each control to iterate MCAS Activities parsed items:
      • Select an output from previous steps: @variables('TempArrayVar')
      • Send the data (MCAS Activity Log) to Azure Sentinel Log analytics workspace via a custom log tables:
        • JSON Request body: @{items('For_each')}
        • Custom Log Name: MCAS_Activity_Log



Notes & Consideration


  • You can customize the parser at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel
  • You can customize the for-each step to iterate MCAS Activity log and send them to the Log Analytics workspace so eventually each activity log will be logged in a separate table's record / row
  • You can build your own detection and analytics rules / use cases,  a couple of MCAS Activities analytics rules will be ready to use at github, stay tuned
  • Couple of points to be considered while using Logic Apps:


Get started today!


We encourage you to try it now!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

Occasional Contributor

Azure Sentinel is becoming more and more the SIEM to be :) Thanks @Hesham Saad for the clear blog post


Do MCAS API Tokens need to be stored using Key Vault?


Hi @shoando - yes you can for security reasons.

New Contributor

Awesome stuff, although will there be a part 2 of this? Covering the "considerations" section?

Occasional Contributor

Hi @Hesham Saad 

Great Blog - thanks a lot.


I have successful implemented the app in my test environment and built another one for the entitity endpoint.

As a next step I'd like to separate the logs to different rows but so far I'm not successful because the for each loop tells me that it needs an array not an object :(

Have you already done this successful and can give me a hint?


Thanks Chris

Senior Member

Is there a connector to ingest Workday HCM logs into Sentinel ? 

Senior Member

Hi @Hesham Saad 


Is there a connector to ingest Workday HCM logs into Sentinel ? 

Senior Member

Hi @Hesham Saad 


Is there a way to ingest  only "Workday HCM" logs from MCAS  into Sentinel ?




Occasional Contributor

Hi @Hesham Saad 


Does this also work for the other MCAS URIs, specifically Files?  If it does, does it overcome the 5000 item export limit that is present with the UI export of File policy matches?

Version history
Last update:
‎Dec 16 2020 10:17 AM
Updated by: