cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cloud App Security no longer logging events from scripts

Chris Stegh
Copper Contributor

‎Nov 21 2018 01:12 PM

‎Nov 21 2018 01:12 PM

Cloud App Security no longer logging events from scripts

Hi, 

Why would CAS stop logging events initiated by systems other than devices?

We have run tests from a few different scripts today, none of which got picked up in CAS:

 

  • Sending emails via PowerShell using “Send-MailMessage”
  • Exchange scripts using “Import-PSSession” scripts followed by “Get-Mailbox” and “Set-Mailbox”
  • User scripts with “Get-MsolUser”
  • SharePoint scripts with “Connect-SPOService”, “Get-SPOSite” and “Set-SPOSite”

We have heard from a customer who talked w/ support that signals from devices are the only thing that will get logged now. But since bad actors are using automation/scripts, we need to be able to track such signals in CAS.

Labels:
1,352 Views
0 Likes
3 Replies
Reply
3 Replies
Shalini Pasupneti

‎Dec 02 2018 01:06 PM

‎Dec 02 2018 01:06 PM

Re: Cloud App Security no longer logging events from scripts

Hi Chris, 

Thanks for reaching out. There hasn't been any changes in Cloud App Security related to auditing & user agent.  Per the below documentation, the commands you referenced are not part of audited events therefore not visible in CAS or in SCC. 

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...

 

Thanks

Shalini

0 Likes
Reply
Chris Stegh

‎Dec 04 2018 04:26 AM

‎Dec 04 2018 04:26 AM

Re: Cloud App Security no longer logging events from scripts

Hi,

Is “Send-MailMessage” an event that is logged by Cloud App Security? We know it *used to be* because the creator of “PhishHunter” (Steve @ MSFT) used it to demonstrate how when it’s run against an acct, it creates an event that will then remediate an acct.

0 Likes
Reply
Chris Stegh

‎Dec 18 2018 06:57 AM

‎Dec 18 2018 06:57 AM

Re: Cloud App Security no longer logging events from scripts

We have a live situation where several hundred events are being missed in the same timeframe. An acct was compromised, and is being accessed from Russia using the SMTP service (i.e. from some scripted method).

 

CAS (which is pulling form the Azure AD audit logs), has nothing at all for that IP, and none of it is captured in the CAS (or audit) logs.

 

Is CAS supposed to log events from scripts, or just physical devices?

0 Likes
Reply