App Connectors
55 TopicsLag in Cloud App Security
Does anyone else notice/experience a lag in the logging within Microsoft Cloud App Security? It's more noticeable with connections to other cloud services but even processing rules around revoking rights to for example files flagged as sensitive seems to take longer than what I would describe as acceptable to process (so more than 30 minutes). As a small team, ideally we would like to trust the reporting and actions that this product generates and takes but it just doesn't seem to be consistent.1.5KViews1like2CommentsHow to get Sharepoint online into Conditional Access app Control
Hello What are the steps to add sharepoint online into Conditional Access app Control ? When i add a new app then search for Sharepoint i get the message below. When i click on the "start wizard" its asking me for saml xml data. Is this the proper way to add SharePoint online toConditional Access app Control ?Plans for multi instance app connectors to Office 365 and/or Azure?
Hi! Anyone know if there are any plans for multi-instance support for Office 365 and Azure app connectors? I have a customer which have lots of tenants and they would like to aggregate all the security logging into the same centralized MCAS solution. But since it doesn't seem to be possible today they are pulling all the logs down on-premises for further analysis in their own SIEM. I can really see the need for this functionality since many organisations buy other companies and end up with more tenants. If they are going to be able to keep control over the ever increasing security boundary they are forced to download all the logs to their local SIEM. Thanks in advance!MCAS and Salesforce - Do we need SF shield ?
Hi, We asked Microsoft and Salesforce if the SF shield licenses were a requirement to improve monitoring, neither were able to respond so I'm reaching out to the community. We have connected our SF instance to MCAS following the available documentation. We had to do some tinkering to bypass having to use a Sysadmin profile. SF shows up as connected and we get the users correlation between Azure/O365/MCAS and SF plus some login/logout events. Now we don't get a lot of data/alerts from Salesforce, will this be improved by adding the extended event monitoring provided by SF shield ? Thanks for any experiences and feedback, RobertSolvedMCAS Regex Engine
Maybe you have a Quick answer. We are currently evaluating DLP Capabilities with MCAS. As we are now implementing Use Cases, we discovered that the Regex Engine from Microsoft is somewhat special. Me and my colleagues understand that this is a mass amount engine and therefore has its limitations regarding the Quantifiers. Now, the Docs are kind of clear but only very less. How does the Regex Engine actually works, what are the limitations? We can investigate every single regex match but how do we validate false positives for a amount of matches? (Probability Score or Reducing the max. Matches per day) Some example use cases from the customer: - Leveraging regex to look for http headers - Look for Cookies (e.g. Look for "Set-Cookie") - Regex hunting base64 encoded jwt id or access tokens or other custom tokens with various file types - pci data (can be covered by MCAS) - aws session token (SessionToken AND base64 encoded data in the vicinity) - MIP labeled documents ( can be covered by MCAS) Hope someone can help"Access to Microsoft Teams is monitored" - Timesout
Hi all, Could you point me in the right direction here, please. We have MCAS in place mostly for session-based policies, however, when attempting to load Teams, it sits on this page going around until it eventually times out: Seems to impact SharePoint too, but Exchange, OneDrive, etc seem fine. I believe due to this that the Teams and Sharepoint apps aren't showing under Conditional Access app control apps: My conditional access policy is scoped to the 'Office 365' apps. Sometimes the above pages don't appear and it goes through with the session-based policies working fine but it is inconsistent. I'm tested on edge, Chrome, Firefox, etc, the same inconsistent issue is present. MCAS tenant is located in West Europe (EU1)8.6KViews1like3CommentsMCAS not detecting new SharePoint sites/libraries
We are currently in a test phase of implementing MCAS. Main use case will be session and file policies for OneDrive / SPO. We have also configured a specific SharePoint document library to be used for quarantine. But in the settings menu, it does not show up in the list of available folders. It does also not show up in the investigate/file queries. Does MCAS require certain permissions on the SharePoint sites? Someone else has issues that SP libraries not showing up in MCAS? (We have waited 24 hours now, still not visible/available)SolvedUploading Palo Alto firewall logs to MCAS and Sentinel
Hi, I'm investigating the best way to get our Palo Alto firewall logs into MCAS and Sentinel. My present understanding is two different log collector methods would be required in parallel. - MCAS - Log collector running in Docker - Sentinel - Syslog server with the OMA agent installed As the documentation is indicates MCAS processing is every 24 hours, I'm assuming the PA firewall logs cannot be passed over to Sentinel on the MCAS connector. Is it possible to run the docker log collector and the syslog via OMA on the same host if it has a high enough specification to take the load?Using end-points from mcas-siemagent-0.111.126-signed.jar
I’ve been using mcas-siemagent-0.111.126-signed.jar file to retrieve logs from my cloud services. I’ve been saving the logs to a local directory and while looking at them I’ve noticed two interesting endpoints: Executing request GET /api/v1/agents/siem/consume/ Executing request GET /api/v1/agents/siem/get_data/?{some cursor related data} Is there any way of getting the logs information using those end points, without using the .jar?Cloud app security non-interactive
Does cloud app security detect and log non-interactive sign-on's ? When i look at the azure sign-in logs for a particular user, i can see the non interactive sign-on's, however trying to match this up or corelate this in cloud app security is proving to be difficult