Collecting MCAS activity events using REST API

%3CLINGO-SUB%20id%3D%22lingo-sub-2069631%22%20slang%3D%22en-US%22%3ECollecting%20MCAS%20activity%20events%20using%20REST%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2069631%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EWe%20are%20planning%20to%20collect%20MCAS%20activity%20events%20using%20the%20REST%20API%20calls%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fapi-activities-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fapi-activities-list%3C%2FA%3E).%20We%20have%20a%20challenge%20here%20in%20establishing%20a%20permanent%20API%20token%20for%20data%20collection.%20The%20API%20token%20we%20create%20from%20the%20portal%2C%20is%20associated%20with%20the%20user%20created%20it%20and%20it%20becomes%20inactive%20when%20the%20user's%20Azure%20PIM%20session%20expires.%20So%2C%20for%20us%2C%20it%20lasts%20for%204%20hours%20only.%20We%20needed%20to%20re-active%20the%20PIM%20session%20to%20continue%20the%20collection.%26nbsp%3B%20It's%20not%20a%20preferred%20way%20for%20the%20scheduled%20collection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20is%20the%20best%20practice%20to%20pull%20the%20activity%20logs%20from%20MCAS%20REST%20APIs.%20(PS%3A%20Though%20the%20SIEM%20agent%20provides%20the%20activity%20logs%2C%20those%20logs%20don't%20have%20complete%20data.%20That's%20the%20reason%20for%20looking%20at%20the%20REST%20APIs).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2069631%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2098849%22%20slang%3D%22en-US%22%3ERe%3A%20Collecting%20MCAS%20activity%20events%20using%20REST%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098849%22%20slang%3D%22en-US%22%3EWhat%20i%20would%20do%20in%20this%20case%20is%20create%20a%20security%20administrator%20account%20for%20my%20Mcas%20tenant%20from%20(%20Mcas%20portal%20%26gt%3B%20settings%20cog%20%26gt%3B%20manage%20admin%20access).%20And%20create%20a%20api%20token%20using%20this%20generic%20account.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20token%20would%20not%20expire%20unless%20you%20delete%20the%20user%20account%20and%20should%20continue%20to%20work..%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20know%20if%20this%20doesn't%20work%20for%20you..%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20connect%20me%20on%20twitter%20at%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291485%22%20target%3D%22_blank%22%3E%40Er%3C%2FA%3E_mansury%20for%20a%20private%20discussion%20on%20this%20topic..%3C%2FLINGO-BODY%3E
Microsoft

Hi,

We are planning to collect MCAS activity events using the REST API calls (https://docs.microsoft.com/en-us/cloud-app-security/api-activities-list). We have a challenge here in establishing a permanent API token for data collection. The API token we create from the portal, is associated with the user created it and it becomes inactive when the user's Azure PIM session expires. So, for us, it lasts for 4 hours only. We needed to re-active the PIM session to continue the collection.  It's not a preferred way for the scheduled collection.

 

What is the best practice to pull the activity logs from MCAS REST APIs. (PS: Though the SIEM agent provides the activity logs, those logs don't have complete data. That's the reason for looking at the REST APIs).

1 Reply
What i would do in this case is create a security administrator account for my Mcas tenant from ( Mcas portal > settings cog > manage admin access). And create a api token using this generic account.

This token would not expire unless you delete the user account and should continue to work..

Let me know if this doesn't work for you..

You can connect me on twitter at @Er_mansury for a private discussion on this topic..