Jun 16 2020 01:23 AM
Jun 16 2020 01:23 AM
I'm uploading my traffic logs in order to perform the Cloud App discovery using REST APIs: https://docs.microsoft.com/en-us/cloud-app-security/api-discovery
I can see the uploaded files being processed under "Governance logs". I can also generate reports based on the ingested traffic logs. But is there any option to view/visualize the ingested/uploaded logs in a table form? So that I can verify that all the logs that are supposed to be uploaded are actually being uploaded via my script and the reports that are generated are correct as per my logs.
Jun 17 2020 10:39 PM - edited Jun 17 2020 10:45 PM
@Caroline_LeeThanks for your reply! I've tried exporting the data from where you mentioned but it seems like it's the data of discovered applications only and not the original CEF data which I've ingested for that discovery. The same options are also available under IP addresses and Users tab, but it only exports the respective discovery related data and not the original one.
The purpose of being able to view/export the exact data which I have ingested is to verify whether my ingestion script is working perfectly or not (I want to use continuous reports). Now if I can only see the data fields/records on which the discovery is successful, I would not be able to exactly say whether the data I ingested had no findings when MCAS ran discovery on it or my script messed up and MCAS never actually received that data to perform discovery on.
So for this purpose, only the count of the number of records received by MCAS is also enough. Is there such an option available yet on the MCAS platform?
Jun 18 2020 09:59 PM
Aug 11 2020 06:12 AM
As Caroline mentioned we do not have raw data investigation capability today.
But in order to verify your script functionality, I suggest to send a single file with several log lines of different app access' and verify all apps are discovered.
I also recommend creating a new data source to have a separate continuous report and upload these logs directly to it using the "inputStreamName" parameter.
Later you could delete this data source.