Adallom/Microsoft Cloud Security – Log Export

April 5th, 2016
by larry

Forward logs to your SIEM (Preview Feature)

 Taken from: https://technet.microsoft.com/en-us/library/mt657569.aspx

Integrating with a SIEM service allows you to better protect your cloud applications while maintaining your usual security workflow, automating security procedures and correlating between cloud-based and on-premises events. The Cloud App Security SIEM agent pulls the logs using the Cloud App Security API and streams them in CEF format into the SIEM logger to enable you to include your Cloud App Security logs in your SIEM. To integrate Cloud App Security with your SIEM, you must perform the following to take the Cloud App Security logs from the and send them to your SIEM service using Syslog TCP.

Note
 Cloud App Security uses TCP to assure reliability of the SIEM integration.
  1. Prerequisites:
    • A standard Linux or Windows server (can be a virtual machine).
    • The server should run Java 8.
  2. In the Cloud App Security console, click your name in the console menu bar, and select User settings and then click on the API Token tab. Name your SIEM integration token and click Generate new token. In the Created API token window, copy the token value.
  3. Create the following folders on your server:/etc/mcas/siemagent (Linux) or C:\MCAS\siemagent (Windows)/etc/mcas/siemagent/cfg (Linux) or C:\MCAS\siemagent\cfg (Windows).
  4. Download SIEMAgent.jar and save it to your server in:For Linux: /etc/mcas/siemagent/For Windows: C:\MCAS\siemagent
    Note
    It is recommended to keep the version number as part of the filename, for easier identification of the installed version.
    Note
    • Cloud App Security supports multiple concurrent SIEM agents for different variations of logs and filters. You can create several configuration files and repeat these steps.
    • The Cloud App Security SIEM agent uses the system clock to make the initial events synchronization. Make sure its accurate before running the agent. Events will be downloaded from the initial run and onward. If you want to download all events, contact support.
  5. Configure your SIEM agent as follows:
    1. Choose a name for your configuration and create a new file in the cfg folder and name it [CFGNAME].xml.Where CFGNAME is the name of your configuration (do not include the brackets [ ] in your code).Start with a letter, and do not use spaces or special symbols (the use of numbers, dashes and underscores is allowed). Paste the following into the file you created, and edit the parameters within (instructions on the next step).For Linux:
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      
         /var/log/mcas/siemagent/[CFGNAME]
         /etc/mcas/siemagent/state/[CFGNAME].dat
         [RUN INTERVAL]
         https://[PORTAL SUB-DOMAIN].portal.cloudappsecurity.com/api/
         [TOKEN]
         [LOG TYPE]
         
             [FILTER]
             [FILTER]
         
         [SIEM HOST]
         [SIEM PORT]
         [OPTIONAL - PROXY HOST]
         [OPTIONAL - PROXY PORT]
         [OPTIONAL - LOGGING ENABLE]
         [OPTIONAL - SIEM LOGGING ENABLE]
         [OPTIONAL – FORMAT SET]
         [OPTIONAL – CUSTOM FORMAT]
      

      For Windows:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      
         C:\MCAS\siemagent\log\[CFGNAME]
         c:\MCAS\siemagent\state\[CFGNAME].dat
         [RUN INTERVAL]
         https://[PORTAL SUB-DOMAIN].portal.cloudappsecurity.com/api/
         [TOKEN]
         [LOG TYPE]
         
             [FILTER]
             [FILTER]
         
         [SIEM HOST]
         [SIEM PORT]
         [OPTIONAL - PROXY HOST]
         [OPTIONAL - PROXY PORT]
         [OPTIONAL - LOGGING ENABLE]
         [OPTIONAL - SIEM LOGGING ENABLE]
         [OPTIONAL – FORMAT SET]
         [OPTIONAL – CUSTOM FORMAT]
      
      
      
      

      Parameters table:

      Note
      Omit any lines of the optional parameters that you are not using.
      Value Description Example
      CFGNAME A unique name that describes this instance of the SIEM agent. Use the same name you chose for the file name. audits
      RUN INTERVAL The interval for synchronization in milliseconds.

      Recommended value is 20 seconds.

      20000
      PORTAL SUB-DOMAIN The sub-domain you have when you login to the portal. cloudappsecurity
      LOG TYPE Type of logs to retrieve. Supported values:

      • audits- Activity log entries
      • alerts – Alert entries
      audits
      FILTER Optional

      List of filters. Only entries that match all the filters are returned (AND). See usage, below.

      service=google-apps
      SIEM HOST The IP address of the SIEM server. 10.0.0.120
      SIEM PORT The port number of the TCP Syslog listener. 1111
      PROXY HOST Optional

      The IP address of your HTTP proxy.

      10.0.0.250
      PROXY PORT Optional

      The TCP port of your HTTP proxy.

      8080
      LOGGING ENABLE Optional

      Set to true in order to activate the logs.

      true
      SIEM LOGGING ENABLE Optional

      Set to true in order to send internal logs of the SIEM agent to the Syslog server.

      true
      FORMAT SET Optional

      ADALLOM_CEF_V1 – (Default) the default SIEM agent output format.

      ARCSIGHT_CEF_V1 – Output format compatible with ArcSight system.

      ADALLOM_CEF_V1

      Activity Filters:

      Parameter name Type Description
      action Multi-value strings, supports negation, comma separated list. List of actions
      service Multi-value strings, supports negation, comma separated list. List of apps in the following format:

      • Take the application name as listed in the portal.
      • Convert all characters to lower case.
      • Replace spaces with a hyphen -.
      • Remove all non-numeric and non-alphabetical characters.
      • Replace multiple hyphens – with a single hyphen -.
      • Remove any hyphens – from the start and end.
      • For example:Google Apps: google-appsOffice 365: office-365Microsoft SharePoint Online: microsoft-sharepoint-online

        Salesforce: salesforce

      user Multi-value strings, supports negation, comma separated list. List of users

      Alert Filters:

      Parameter name Type Description
      users Multi-value strings, supports negation, comma separated list. List of users
  1. Run the SIEM agent in one of the following modes:
    • Manual run:
      • Linux: java -jar /etc/mcas/siemagent/siemagent.jar /etc/mcas/siemagent/cfg/[CFGNAME].xml
      • Windows: java -jar C:\MCAS\siemagent\siemagent.jar C:\MCAS\siemagent\cfg\[CFGNAME].xml
    • Automated run: Create a startup script to run the agent on system startup.

Tags: , ,
Posted in Uncategorized | Comments (0)

No comments yet

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *