Forum Discussion

Tanmoy's avatar
Tanmoy
Copper Contributor
Jun 20, 2024

Unable to ingest SIME Integration logs for Cloud Apps

Hi All,

We are trying to setup SIEM integration for Microsoft Defender for Cloud Apps using this https://learn.microsoft.com/en-gb/defender-cloud-apps/siem. We performed the all following steps but not able to get the logs as per mention on the official doc.

We are getting below logs which is not inline with the expected sample logs provided over https://learn.microsoft.com/en-us/defender-cloud-apps/siem:

 

 

 

Connecting socket to xyz.us2.portal.cloudappsecurity.com/52.184.165.82:443 with timeout 30000

"{"agentType":"MCAS_SIEM","version":"0.111.126","operationsStatus":[{"operationType":"forwardData","success":true,"messages":[],"operationId":"bgfzdefjdgl2axr5q3jlyxrlzd0xnze4ntmymzi5mdawjmxhc3rbbgvydelkpty2nmviogu5mdawmdawmdawmdawmdawma=="},{"operationType":"sleep","success":true,"messages":[]}]}"

Connection established 100.64.0.1:49261<->52.184.165.82:443

============
 Connection established 100.64.0.1:63977<->52.184.165.82:443 
 http-outgoing-48: set socket timeout to 60000
{"agentType":"MCAS_SIEM","version":"0.111.126","operationsStatus":[{"operationType":"sleep","success":true,"messages":[]},{"operationType":"forwardData","success":true,"messages":[],"operationId":"bgfzdefjdgl2axr5q3jlyxrlzd0xnze4nzkynjmwmzgxjmxhc3rbbgvydelkpty2nzjhzme1mdawmdawmdawmdawmdawma=="}]}"


{"nextOperations":[{"type":"sleep","duration":300000},{"type":"forwardData","sourceDataUrl":"https://xyz.us2.portal.cloudappsecurity.com/api/v1/agents/siem/get_data/?lastActivityCreated=1718792915260&lastAlertId=6672b0d50000000000000000&operationId=bgfzdefjdgl2axr5q3jlyxrlzd0xnze4nzkyote1mjywjmxhc3rbbgvydelkpty2nzjimgq1mdawmdawmdawmdawmdawma==","operationId":"bgfzdefjdgl2axr5q3jlyxrlzd0xnze4nzkyote1mjywjmxhc3rbbgvydelkpty2nzjimgq1mdawmdawmdawmdawmdawma==","targetHost":"127.0.0.1","targetPort":"514","targetProtocol":"udp"}]}"

 

 


Can you please provide support, what changes we need to do to for getting the activity and alerts logs. 
Thank You

2 Replies

  • Yoann_David_Mallet's avatar
    Yoann_David_Mallet
    Icon for Microsoft rankMicrosoft
    Jun 20, 2024

    Tanmoy 

    Hi, In general, we would recommend looking into other options to get data to your SIEM.

    The graph API is usually your best bet. 

    If your SIEM is splunk, then we recommend to leverage the plug-in using Graph to get the data directly to your SIEM: Splunk Add-on for Microsoft Security | Splunkbase

    Now if it is not an option, can you please share more details about your issue? All i see here is a time out.

    • Tanmoy's avatar
      Tanmoy
      Copper Contributor
      Jun 20, 2024

      Hi Yoann_David_Mallet we are looking to fetch Alerts and Activities logs for Defender for cloud apps, I guess we don't have graph API for the same, thus we were trying this integration approach https://learn.microsoft.com/en-us/defender-cloud-apps/siem


      We are facing the mentioned challenge while setting this up.

Resources