EMS E3 CAS Discovery Functionality
When I look at the O365 EM+S E3 license setting in the O365 Admin Center, it shows Cloud App Security Discovery as an option. This page https://support.office.com/en-us/article/get-ready-for-office-365-cloud-app-security-d9ee4d67-f2b3-42b4-9c9e-c4529904990a?ui=en-US&rs=en-US&ad=US clearly states that we need E5 to get CAS, but does not mention Cloud App Security Discovery. Can someone please provide me the definitive answer about what is actually possible with EMS E3 regarding CAS.
Configure Palo Alto Panorama for Cloud App Discovery
Below are the steps I've taken to integrate PaloAlto Panorama Traffic logs to Cloud App Discovery. In this setup, multiple PA Firewalls are configured forward their logs to Panorama. Check the Palo Alto guides for how this is setup. Your thoughts and feedback is much appreciated. Follow the Microsoft guide to https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker-ubuntu-azure. I've settled with the Docker for Ubuntu on Azure after multiple failed attempts with RHEL 8.1. For Step 3 - On-premises configuration of your network appliances log into Panorama, make sure Context Panorama on the top left is selected. Select the Panorama tab and Server Profiles -> Syslog on the left hand menu. Select Add to create a new Syslog Server Profile Enter a Name for the Profile - i.e. MCAS Log Collector Select Add in the Servers tab and provide the details for the collector server, i.e.:Name: MCAS Server Azure IP: <<Log Collector IP>> Transport: as per your collector config, i.e. TCP Port: as per your collector config, i.e. 601 Format: BSS Facility: LOG_USER Select Ok to save the Syslog Server and Profile. Go to Collector Groups and select the "default" Collector Group. Select the Collector Log Forwarding tab, then the Traffic tab. Select Add and give the Log Setting a name, i.e. MCAS Logs Set filter to All Logs Select Add in the Syslog field and select the MCAS Log Collector. Select Ok, and Ok again, then save and commit your changes. Done. Follow on with Step 4 - Verify the successful deployment in the Cloud App Security portal in the Microsoft guide.
MDATP Integration - Unsanctioned Apps - Allow for some users?
Hi, I've reviewed the documentation @ https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery in relation to blocking unsanctioned apps - specifically using MDATP on Win10 endpoints. The documentation doesn't mention anything about governance when using MDATP - Is the functionality similar to the integration with Zscaler and iBoss, where once an app is tagged as unsanctioned it is blocked on the endpoint for all users? Is there any way to provide greater granularity to the process - ie allow an app for some users and not for others or is it a binary choice for the entire organisation? Thanks PaulCheckpoint firewall - automatic log collection - recommended method ?
Hi - is there a recommended/supported method to achieve automatic Checkpoint firewall log collection ? On the Checkpoint side it seems there are 2 main log export mechanisms. 1. CPLOGTOSYSLOG tool. 2. Log Exporter - Check Point Log Export tool. I am getting the impression that cplogtosyslog is the preferred supported method from Microsoft side. However from Checkpoint side Log Exporter tool is their preferred method going forward. Any guidance or advice on how to get this to work would be appreciated ? Thanks...
MCAS - Log Collector - Configuration Not Sending to MCAS
I'm fairly new to MCAS. Am attempting to get an onPrem log collector (docker) to transmit ASA logs to the log collector in MCAS. However, something is not working. This docker instance is running within a hyper-v 2016 guest (Guest: Windows Server 2019). The source is an ASA 5508 sending syslog (level 6) to the docker instance on TCP 20000. Host firewall inbound rule allows TCP 20000 from the ASA. Within Azure MCAS, it shows the log collector is "Connected" - Warning: No data was received since log collection deployment. Make sure you complete on-premises configuration of your network appliances. From a review of a NetMon network trace, run from the host, we are receiving traffic from the ASA on TCP 20000. Netstat does show the server is listening on TCP 20000. Below is docker run command. Have opened a case with MS, but they claim to be new as MCAS and docker. Any ideas why I'm not getting data? docker run --name ASALogCollector -p 20000:20000/tcp -p 21:21 -p 20001-20099:20001-20099 -e "PUBLICIP='internalhost.acme.com'" -e "PROXY=" -e "SYSLOG=true" -e "CONSOLE=xxxxx.us3.portal.cloudappsecurity.com" -e "COLLECTOR=ASALogCollector" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i microsoft/caslogcollector starter
