Playbook for Azure Sentinel & MCAS integration
Prerequisites:
- Basic Knowledge on: KQL, Azure Sentinel and MCAS
- Data connector for Microsoft Cloud App Security already connected on Azure Sentinel portal
- Alerts from MCAS already being ingested into Azure Sentinel log analytics workspace
Quick note: This playbook was built based on an existing Playbook for Azure Sentinel and Azure Security Center developed by Nathan Swift (@SwiftSolves), so all credits to my colleague ;)
Want to be able to automatically close an Incident on MCAS right after have it Investigated on Azure Sentinel? So, here’s a very straightforward LogicApp you can build to quickly handle such scenarios
Before we dive into, the whole idea is basically: once I’ve the analyzed the Incident, I can run this playbook via the lateral menu on “View playbooks” accessed via “View full details” on Incident main page:
- Access your MCAS portal: https://portal.cloudappsecurity.com and on Security extensions menu, create a new API Token
Copy the Token key, since you’re going to use it later.
2. On Azure Sentinel portal, hit click on Playbooks menu, and choose + Add Playbook
3. At Playbook creation page, choose the appropriated Subscription/ Resource Group and Location, and click “Review + Create”
4. Once earlier step is done, go to Logic App designer page and configure accordingly what is being shown below:
On which:
Step 1: “Run Query and list results”
Here’s the KQL to put on Query body:
SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in(“@{triggerBody()?[‘SystemAlertId’]}”)
| where TimeGenerated >= ago (90d)
| extend McasAlertID = tostring(parse_json(ExtendedLinks)[1].Href)
| extend Mcas2AlertID = split (McasAlertID, “/”, 5)
| extend Mcas2AlertID= tostring(Mcas2AlertID[0])
| project McasAlertID, Mcas2AlertID
Step 2: “Parse JSON”
on which schema should be filled out with:
{
“items”: {
“properties”: {
“Mcas2AlertID”: {
“type”: “string”
},
“McasAlertID”: {
“type”: “string”
}
},
“required”: [
“McasAlertID”,
“Mcas2AlertID”
],
“type”: “object”
},
“type”: “array”
}
Step 3: “HTTP”
URI session can be checked in the MCAS portal, have access on “API documentation”:
then, you’ll be presented to it on the main page:
that’s all. once finished, save the Logic App in the save button, and you’re all set.
Friendly remember: Playbook will be called once you choose it on “View Playbooks” in the first picture.
GoodHunting! ;-)