Forum Discussion
Hemanth_Abbina
Microsoft
MicrosoftAny plan to integrate/send MCAS activity events to Sentinel
Hi,
The current MCAS to Sentinel connector is sending only alerts and discovery logs to Sentinel. Are there any plans to include the MCAS activity logs in the integration ? (The MCAS SIEM connector has the feature to send the activity logs.)
- Hello Hemanth_Abbina,
There currently is a workaround where you are able to configure the MCAS API as the source for collecting the Activity logs into Azure Sentinel.
Please check out this article for more information:
https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-cloud-app-security-mcas-activity-log-in-azure-sentinel/ba-p/1849806
Hemanth_AbbinaBemmelenPatrick Thanks.
Agree with this approach, but we have a problem. The MCAS API Token is not persistent and it's associated with the user created it. The Azure subscription we are using, is PIM enabled and all users should be activated their roles using PIM for 4 hours. In such scenarios, the API token we create will be inactive, whenever the PIM session of the user expires. So, it's not suited for scheduled/automated data collection.
- Hello Hemanth,
Are you using PIM for access to MCAS or to Azure Sentinel/Logic Apps?
Because the API token is taken from MCAS this will need to be entered for the Logic Apps connection but for Logic Apps you can use managed identities:
https://docs.microsoft.com/nl-nl/azure/logic-apps/create-managed-service-identity
