Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

cloud app security and SIEM agent

Copper Contributor

Hello,

We need to send our cloud app security alerts to our onpremise SIEM, we know that we can install a java program to setup cloud app security agent, by the way we ever used event HUB for AD azure service and to avoid installing a VM with cloud app security SIEM agent, one think is to use Azure Logic Apps to grab cloud app security alerts and forward them to event hub and then send alert's on across existing link with our onpremise SIEM.

Does it make sense or have u got advices about our idea ?

Thanks for your feedback.

 

7 Replies

@Hamid285 Have you seen this help doc? Does this provide an easier fix for you?

 

https://docs.microsoft.com/en-us/cloud-app-security/siem 

@caseykraus : Hello, thanks for your feedback.yes i saw this article but as explain we do not need to go by this way , but use MS SOAR with event hub :

https://securecloud.blog/2020/04/30/send-security-alerts-from-microsoft-cloud-to-3rd-party-siem-with...

DOes it make sense ?

Rgds,

@Hamid285to get all MCAS - Cloud App Security raw events you need the MCAS API via https://docs.microsoft.com/en-US/cloud-app-security/siem which will be ingested using remote syslog into Splunk (CEF-format).

Additionally you need the MS Graph API for the high level telemetry - the Splunk technical TA app is here.

@BillTheKid : Hello and thanks for your feedback.

We will advice our customer to use cloud app security SIEM agent.

Rgds,

@BillTheKid, what are high availability options for setting up SIEM Agent Server? How do we make sure it is not single point of failure and can scale?

@SurVir, you don't use it anymore more today (2 years later). You would integrate MDCA (previously known as MCAS) within MDE and use the Streaming API to get all raw-data via CloudAppEvents table (for MDCA raw data). Alerts are merged into AlertInfo table (for MDCA alerts) (for alerts you alternatively may use Graph-API) and Incidents would require Incidents API (for MDCA merged incidents). This gets you safe all the information and is scalable and has no point of failures when implementing correctly - forget the MCAS SIEM AGENT , this was before they went "XDR".

@SurVir https://github.com/tianderturpijn/MCAS/tree/master/MCAS-ASC-integration describes installation with MCAS SIEM Agent via Log Analytics hosted within Azure VM