Any plan to integrate/send MCAS activity events to Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2069600%22%20slang%3D%22en-US%22%3EAny%20plan%20to%20integrate%2Fsend%20MCAS%20activity%20events%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2069600%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EThe%20current%20MCAS%20to%20Sentinel%20connector%20is%20sending%20only%20alerts%20and%20discovery%20logs%20to%20Sentinel.%20Are%20there%20any%20plans%20to%20include%20the%20MCAS%20activity%20logs%20in%20the%20integration%20%3F%20(The%20MCAS%20SIEM%20connector%20has%20the%20feature%20to%20send%20the%20activity%20logs.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Hemanth_Abbina_0-1610950577634.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247141iB8CBC28F6142F946%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Hemanth_Abbina_0-1610950577634.png%22%20alt%3D%22Hemanth_Abbina_0-1610950577634.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Hemanth_Abbina_1-1610950592802.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247142i12B3235F23034AC5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Hemanth_Abbina_1-1610950592802.png%22%20alt%3D%22Hemanth_Abbina_1-1610950592802.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2069600%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2070550%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20plan%20to%20integrate%2Fsend%20MCAS%20activity%20events%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070550%22%20slang%3D%22en-US%22%3EHello%20Hemanth_Abbina%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20currently%20is%20a%20workaround%20where%20you%20are%20able%20to%20configure%20the%20MCAS%20API%20as%20the%20source%20for%20collecting%20the%20Activity%20logs%20into%20Azure%20Sentinel.%3CBR%20%2F%3EPlease%20check%20out%20this%20article%20for%20more%20information%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmicrosoft-cloud-app-security-mcas-activity-log-in-azure-sentinel%2Fba-p%2F1849806%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmicrosoft-cloud-app-security-mcas-activity-log-in-azure-sentinel%2Fba-p%2F1849806%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2072987%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20plan%20to%20integrate%2Fsend%20MCAS%20activity%20events%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2072987%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F399562%22%20target%3D%22_blank%22%3E%40BemmelenPatrick%3C%2FA%3E%26nbsp%3B%20Thanks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgree%20with%20this%20approach%2C%20but%20we%20have%20a%20problem.%20The%20MCAS%20API%20Token%20is%20not%20persistent%20and%20it's%20associated%20with%20the%20user%20created%20it.%20The%20Azure%20subscription%20we%20are%20using%2C%20is%20PIM%20enabled%20and%20all%20users%20should%20be%20activated%20their%20roles%20using%20PIM%20for%204%20hours.%20In%20such%20scenarios%2C%20the%20API%20token%20we%20create%20will%20be%20inactive%2C%20whenever%20the%20PIM%20session%20of%20the%20user%20expires.%20So%2C%20it's%20not%20suited%20for%20scheduled%2Fautomated%20data%20collection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2073811%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20plan%20to%20integrate%2Fsend%20MCAS%20activity%20events%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2073811%22%20slang%3D%22en-US%22%3EHello%20Hemanth%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAre%20you%20using%20PIM%20for%20access%20to%20MCAS%20or%20to%20Azure%20Sentinel%2FLogic%20Apps%3F%3CBR%20%2F%3EBecause%20the%20API%20token%20is%20taken%20from%20MCAS%20this%20will%20need%20to%20be%20entered%20for%20the%20Logic%20Apps%20connection%20but%20for%20Logic%20Apps%20you%20can%20use%20managed%20identities%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Flogic-apps%2Fcreate-managed-service-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Flogic-apps%2Fcreate-managed-service-identity%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2073884%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20plan%20to%20integrate%2Fsend%20MCAS%20activity%20events%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2073884%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F399562%22%20target%3D%22_blank%22%3E%40BemmelenPatrick%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20quick%20response.%3C%2FP%3E%0A%3CP%3EI'm%20talking%20about%20the%20MCAS%20API%20token.%20The%20API%20token%20created%20in%20the%20MCAS%20portal%20is%20associated%20with%20the%20user%20created%20it.%20If%20the%20user's%20PIM%20session%20expires%2C%20the%20API%20token%20won't%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hi,

The current MCAS to Sentinel connector is sending only alerts and discovery logs to Sentinel. Are there any plans to include the MCAS activity logs in the integration ? (The MCAS SIEM connector has the feature to send the activity logs.)

 

Hemanth_Abbina_0-1610950577634.png

 

 

 

 

 

Hemanth_Abbina_1-1610950592802.png

 

 

5 Replies
Hello Hemanth_Abbina,

There currently is a workaround where you are able to configure the MCAS API as the source for collecting the Activity logs into Azure Sentinel.
Please check out this article for more information:
https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-cloud-app-security-mcas-activity-log...

@BemmelenPatrick  Thanks.

 

Agree with this approach, but we have a problem. The MCAS API Token is not persistent and it's associated with the user created it. The Azure subscription we are using, is PIM enabled and all users should be activated their roles using PIM for 4 hours. In such scenarios, the API token we create will be inactive, whenever the PIM session of the user expires. So, it's not suited for scheduled/automated data collection.

Hello Hemanth,

Are you using PIM for access to MCAS or to Azure Sentinel/Logic Apps?
Because the API token is taken from MCAS this will need to be entered for the Logic Apps connection but for Logic Apps you can use managed identities:
https://docs.microsoft.com/nl-nl/azure/logic-apps/create-managed-service-identity

@BemmelenPatrick Thanks for the quick response.

I'm talking about the MCAS API token. The API token created in the MCAS portal is associated with the user created it. If the user's PIM session expires, the API token won't work.

Hi,
we're experiencing the same problem. I think we will use the Break Glass Account. Does anyone have a better idea?