MCAS and REST API detection

%3CLINGO-SUB%20id%3D%22lingo-sub-447308%22%20slang%3D%22en-US%22%3EMCAS%20and%20REST%20API%20detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-447308%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIm%20still%20fairly%20new%20to%20MCAS%20and%20i%20couldn't%20find%20any%20answers%20in%20my%20search%20so%20apologies%20if%20this%20has%20been%20asked.%26nbsp%3B%20I%20was%20wondering%20if%20MCAS%20can%20be%20used%20to%20detect%2Falert%20against%20REST%20API%20attempts%20from%20malicious%20IPs%20or%20unknown%20devices%20etc.%26nbsp%3B%20This%20could%20be%20coming%20from%20MS%20Graph%20or%20wherever%20else%20that%20has%20an%20API%20that%20is%20exposed%20or%20if%20there%20is%20something%20else%20that%20already%20does%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-447308%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-456256%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20and%20REST%20API%20detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-456256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F303717%22%20target%3D%22_blank%22%3E%40Tommytong%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-471904%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20and%20REST%20API%20detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-471904%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F303717%22%20target%3D%22_blank%22%3E%40Tommytong%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes.%20An%20example%20below%20of%20a%20Flow%20accessing%20some%20data%20in%20SharePoint%3A%20you%20can%20see%20ine%20agent%20string%20(Flow%2FLogic%20Apps)%20and%20the%20IP%20used%20to%20access%20the%20data%20using%20API%20connections.%3C%2FP%3E%0A%3CP%3EIn%20this%20case%20it's%20an%20Azure%20IP%2C%20but%20let's%20say%20it%20would%20be%20a%20script%20running%20on%20a%20PC%2C%20we%20ould%20detect%20this.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109479i27A3D612AC9813ED%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22access-logicApps.png%22%20title%3D%22access-logicApps.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-471946%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20and%20REST%20API%20detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-471946%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20any%20MS%20Graph%20examples%20by%20chance%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi all,

 

Im still fairly new to MCAS and i couldn't find any answers in my search so apologies if this has been asked.  I was wondering if MCAS can be used to detect/alert against REST API attempts from malicious IPs or unknown devices etc.  This could be coming from MS Graph or wherever else that has an API that is exposed or if there is something else that already does that.

 

Thanks.

3 Replies
Highlighted

@Tommytong 

 

@Sebastien Molendijk: Is this something you can speak to? 

Highlighted

Hi @Tommytong ,

 

Yes. An example below of a Flow accessing some data in SharePoint: you can see ine agent string (Flow/Logic Apps) and the IP used to access the data using API connections.

In this case it's an Azure IP, but let's say it would be a script running on a PC, we ould detect this.

access-logicApps.png

Highlighted

Thanks @Sebastien Molendijk 

 

Do you any MS Graph examples by chance?