You can integrate Microsoft Defender for Cloud Apps with your generic SIEM server to enable centralized monitoring of alerts and activities from connected apps. As new activities and events are supported by connected apps, visibility into them is then rolled out into Microsoft Defender for Cloud Apps. Integrating with a SIEM service allows you to better protect your cloud applications while maintaining your usual security workflow, automating security procedures, and correlating between cloud-based and on-premises events. The Microsoft Defender for Cloud Apps SIEM agent runs on your server and pulls alerts and activities from Microsoft Defender for Cloud Apps and streams them into the SIEM server.
When you first integrate your SIEM with Defender for Cloud Apps, activities and alerts from the last two days will be forwarded to the SIEM and all activities and alerts (based on the filter you select) from then on. If you disable this feature for an extended period, then re-enable, the past two days of alerts and activities are forwarded and then all alerts and activities from then on.
Additional integration solutions include:
Microsoft Sentinel - A scalable, cloud-native SIEM and SOAR for native integration. For information about integrating with Microsoft Sentinel, see Microsoft Sentinel integration.
If you are integrating Microsoft Defender for Identity in Defender for Cloud Apps and both services are configured to send alert notifications to a SIEM, you'll start to receive duplicate SIEM notifications for the same alert. One alert will be issued from each service and they will have different alert IDs. To avoid duplication and confusion, make sure to handle the scenario. For example, decide where you intend to perform alert management, and then stop SIEM notifications being sent from the other service.
Generic SIEM integration architecture
The SIEM agent is deployed in your organization's network. When deployed and configured, it pulls the data types that were configured (alerts and activities) using Defender for Cloud Apps RESTful APIs.
The traffic is then sent over an encrypted HTTPS channel on port 443.
Once the SIEM agent retrieves the data from Defender for Cloud Apps, it sends the Syslog messages to your local SIEM. Defender for Cloud Apps uses the network configurations you provided during the setup (TCP or UDP with a custom port).
Supported SIEMs
Defender for Cloud Apps currently supports Micro Focus ArcSight and generic CEF.
How to integrate
Integrating with your SIEM is accomplished in three steps:
Set it up in the Defender for Cloud Apps portal.
Download the JAR file and run it on your server.
Validate that the SIEM agent is working.
Prerequisites
A standard Windows or Linux server (can be a virtual machine).
OS: Windows or Linux
CPU: 2
Disk space: 20 GB
RAM: 2 GB
The server must be running Java 8. Earlier versions aren't supported.
Transport Layer Security (TLS) 1.2+. Earlier versions aren't supported.
Step 1: Set it up in the Defender for Cloud Apps portal
In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps.
Under System, choose SIEM agents. Select Add SIEM agent, and then choose Generic SIEM.
In the wizard, select Start Wizard.
In the wizard, fill in a name, and Select your SIEM format and set any Advanced settings that are relevant to that format. Select Next.
Type in the IP address or hostname of the Remote syslog host and the Syslog port number. Select TCP or UDP as the Remote Syslog protocol.
You can work with your security admin to get these details if you don't have them. Select Next.
Select which data types you want to export to your SIEM server for Alerts and Activities. Use the slider to enable and disable them, by default, everything is selected. You can use the Apply to drop-down to set filters to send only specific alerts and activities to your SIEM server. Select Edit and preview results to check that the filter works as expected. Select Next.
Copy the token and save it for later.
Select Finish and leave the Wizard. Go back to the SIEM page to see the SIEM agent you added in the table. It will show that it's Created until it's connected later.
Note
Any token you create is bound to the admin who created it. This means that if the admin user is removed from Defender for Cloud Apps, the token will no longer be valid. A generic SIEM token provides read-only permissions to the only required resources. No other permissions are granted a part of this token.
Step 2: Download the JAR file and run it on your server
The file name may differ depending on the version of the SIEM agent.
Parameters in brackets [ ] are optional, and should be used only if relevant.
It is recommended to run the JAR during server startup.
Windows: Run as a scheduled task and make sure that you configure the task to Run whether the user is logged on or not and that you uncheck the Stop the task if it runs longer than checkbox.
Linux: Add the run command with an & to the rc.local file. For example: java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &
Where the following variables are used:
DIRNAME is the path to the directory you want to use for local agent debug logs.
ADDRESS[:PORT] is the proxy server address and port that the server uses to connect to the internet.
TOKEN is the SIEM agent token you copied in the previous step.
You can type -h at any time to get help.
Sample activity logs
The following are sample activity logs sent to your SIEM:
Sample Defender for Cloud Apps alerts in CEF format
Applicable to
CEF field name
Description
Activities/Alerts
start
Activity or alert timestamp
Activities/Alerts
end
Activity or alert timestamp
Activities/Alerts
rt
Activity or alert timestamp
Activities/Alerts
msg
Activity or alert description as shown in the portal
Activities/Alerts
suser
Activity or alert subject user
Activities/Alerts
destinationServiceName
Activity or alert originating app, for example, Microsoft 365, Sharepoint, Box.
Activities/Alerts
cs<X>Label
Each label has a different meaning, but the label itself explains it, for example, targetObjects.
Activities/Alerts
cs<X>
The information corresponding to the label (the target user of the activity or alert as per the label example).
Activities
EVENT_CATEGORY_*
High-level category of the activity
Activities
<ACTION>
The activity type, as displayed in the portal
Activities
externalId
Event ID
Activities
dvc
IP of the client device
Activities
requestClientApplication
User agent of the client device
Alerts
<alert type>
For example, "ALERT_CABINET_EVENT_MATCH_AUDIT"
Alerts
<name>
The matched policy name
Alerts
externalId
Alert ID
Alerts
src
IPv4 address of the client device
Alerts
c6a1
IPv6 address of the client device
Step 3: Validate that the SIEM agent is working
Make sure the status of the SIEM agent in the portal isn't Connection error or Disconnected and there are no agent notifications. It will show up as Connection error if the connection is down for more than two hours. The status shows as Disconnected if the connection is down for over 12 hours.
Instead, the status should be connected, as seen here:
In your Syslog/SIEM server, make sure you see activities and alerts arriving from Defender for Cloud Apps.
Regenerating your token
If you lose the token, you can always regenerate it by selecting the three dots at the end of the row for the SIEM agent in the table. Select Regenerate token to get a new token.
Editing your SIEM agent
To edit the SIEM agent, select the three dots at the end of the row for the SIEM agent in the table, and select Edit. If you edit the SIEM agent, you don't need to rerun the .jar file, it updates automatically.
Deleting your SIEM agent
To delete the SIEM agent, select the three dots at the end of the row for the SIEM agent in the table, and select Delete.