Playbook for Azure Sentinel & MCAS integration

Azure Sentinel Data connectors page

Prerequisites:

• Basic Knowledge on: KQL, Azure Sentinel and MCAS
• Data connector for Microsoft Cloud App Security already connected on Azure Sentinel portal
• Alerts from MCAS already being ingested into Azure Sentinel log analytics workspace

Quick note: This playbook was built based on an existing Playbook for Azure Sentinel and Azure Security Center developed by Nathan Swift (@SwiftSolves), so all credits to my colleague ;)

Want to be able to automatically close an Incident on MCAS right after have it Investigated on Azure Sentinel? So, here’s a very straightforward LogicApp you can build to quickly handle such scenarios

Before we dive into, the whole idea is basically: once I’ve the analyzed the Incident, I can run this playbook via the lateral menu on “View playbooks” accessed via “View full details” on Incident main page:

1. Access your MCAS portal: https://portal.cloudappsecurity.com and on Security extensions menu, create a new API Token

Copy the Token key, since you’re going to use it later.

2. On Azure Sentinel portal, hit click on Playbooks menu, and choose + Add Playbook

3. At Playbook creation page, choose the appropriated Subscription/ Resource Group and Location, and click “Review + Create”

4. Once earlier step is done, go to Logic App designer page and configure accordingly what is being shown below:

On which:

Step 1: “Run Query and list results”

Here’s the KQL to put on Query body:

SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in(“@{triggerBody()?[‘SystemAlertId’]}”)
| where TimeGenerated >= ago (90d)
| extend McasAlertID = tostring(parse_json(ExtendedLinks)[1].Href)
| extend Mcas2AlertID = split (McasAlertID, “/”, 5)
| extend Mcas2AlertID= tostring(Mcas2AlertID[0])
| project McasAlertID, Mcas2AlertID

Step 2: “Parse JSON”

on which schema should be filled out with:

{
“items”: {
“properties”: {
“Mcas2AlertID”: {
“type”: “string”
},
“McasAlertID”: {
“type”: “string”
}
},
“required”: [
“McasAlertID”,
“Mcas2AlertID”
],
“type”: “object”
},
“type”: “array”
}

Step 3: “HTTP”

URI session can be checked in the MCAS portal, have access on “API documentation”:

then, you’ll be presented to it on the main page:

that’s all. once finished, save the Logic App in the save button, and you’re all set.

Friendly remember: Playbook will be called once you choose it on “View Playbooks” in the first picture.

GoodHunting! ;-)