Jan 17 2021 10:28 PM
Hi,
We are planning to collect MCAS activity events using the REST API calls (https://docs.microsoft.com/en-us/cloud-app-security/api-activities-list). We have a challenge here in establishing a permanent API token for data collection. The API token we create from the portal, is associated with the user created it and it becomes inactive when the user's Azure PIM session expires. So, for us, it lasts for 4 hours only. We needed to re-active the PIM session to continue the collection. It's not a preferred way for the scheduled collection.
What is the best practice to pull the activity logs from MCAS REST APIs. (PS: Though the SIEM agent provides the activity logs, those logs don't have complete data. That's the reason for looking at the REST APIs).
Jan 26 2021 10:46 AM