Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Microsoft Cloud App Security

Microsoft Cloud App Security

Integration Points

Protocol Information Discovered Used For
SIEM Agent Logon, User creation/deletion and other Audit activity for Azure Applications including Office 365, SharePoint, OneDrive, Teams, PowerBI , Exchange Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "MS-Azure-CloudAppSec" in the Search field to see the event types associated with Microsoft Cloud App Security.

Configuring a SIEM Agent

FortiSIEM integrates with Microsoft Cloud App Security to collect alerts and activities from apps to Microsoft Cloud. As new activities and events are supported by connected apps, they become available to FortiSIEM via Microsoft Cloud App Security integration.

The integration is done via the Microsoft Cloud App Security SIEM agent. It can run on any server (including FortiSIEM). It pulls alerts and activities from Microsoft Cloud App Security and then streams them into FortiSIEM.

For details, see here.

FortiSIEM integration is accomplished in three steps:

  1. Set up a SIEM Agent in the Microsoft Cloud App Security portal.
  2. Download the SIEM agent (JAR file) and run it on a server. The agent would connect to the portal, collect logs and forward to FortiSIEM. The server could be a FortiSIEM node such as Collector.
  3. Validate that the SIEM agent is working correctly.
  4. Configure an application to connect to Microsoft Cloud App Security portal. See those events in FortiSIEM.
Step 1: Set Up a SIEM Agent in the Microsoft Cloud App Security Portal
  1. In the Cloud App Security portal, under the Settings cog, click Security extensions and then click on the SIEM agents tab.
  2. Click the plus icon to start the Add SIEM agent wizard.
  3. In the wizard:
    1. Click Start Wizard.
    2. Fill in a name.
    3. Select your SIEM format as 'Generic CEF'.
    4. In Advanced settings:
      1. Set Time Format to 'RFC 5424'.
      2. Check Include PRI.
      3. Check Include system name.
    5. Click Next.
    6. Type in the IP address or hostname FortiSIEM node receiving the events and port 514. Select TCP or UDP as the SIEM protocol. In most common situations, you would choose a FortiSIEM Collector. Click Next.
    7. Select which data types, Alerts and Activities you want to export to your FortiSIEM. We recommend choosing All Alerts and All Activities. You can use the Apply to drop-down to set filters to send only specific alerts and activities. You can click Edit and preview results to check that the filter works as expected. Click Next.
    8. The wizard will say that SIEM agent configuration is finished. Copy the token and save it for later.
    9. After you click Finish and leave the Wizard, back in the SIEM page, you can see the SIEM agent you added in the table. It will show that it's Created until it’s connected later.
Step 2: Download the SIEM agent (JAR file) and Run it on a Server
  1. In the Microsoft Download Center, after accepting the software license terms, download the .zip file and unzip it.
  2. Run the following command:
    java -jar mcas-siemagent-0.87.20-signed.jar --logsDirectory <DIRNAME> --token <TOKEN> &

    where:

    • DIRNAME (optional) is the path to the directory for agent to write debug log.
    • TOKEN is the SIEM agent token you copied in the previous Step 1 Sub-step 3.h.
Step 3: Validate that the SIEM Agent is Working Correctly

Make sure the status of the SIEM agent in the Cloud App Security portal is 'Connected'.

If the connection is down for more than two hours, then the status may show 'Connection error'. The status will be 'Disconnected' if down for more than 12 hours.

Step 4: Configure an Application to Connect to Microsoft Cloud App Security Portal

Cloud App Security currently supports the following Office 365 apps:

  • Office 365
  • Dynamics 365 CRM
  • Exchange (only appears after activities from Exchange are detected in the portal and requires you to turn on auditing)
  • OneDrive
  • PowerBI (only appears after activities from PowerBI are detected in the portal, and requires you to turn on auditing)
  • SharePoint
  • Teams (only appears after activities from Teams are detected in the portal)

See the Microsoft documentation to setup these applications.

Connecting Office 365 to Cloud App Security

Use the app connector API to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account. The Microsoft Cloud App Security connection gives you visibility into and control over Office 365 use.

For information on how Cloud App Security helps protect your Office 365 environment, see here.

For information on the prerequisites and steps to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account, see How to connect Office 365 to Cloud App Security.

Sample Events

<109>2018-05-22T04:17:28.340Z SP204 CEF:0|MCAS|SIEM_Agent|0.123.162|EVENT_CATEGORY_LOGIN|Log on|0|externalId=70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce rt=1526962648340 start=1526962648340 end=1526962648340 msg=Log on suser=user1@userfsiem.onmicrosoft.com destinationServiceName=Microsoft Azure dvc=43.254.220.13 requestClientApplication=;Windows 10;Edge 17.17134; cs1Label=portalURL cs1=https://userfsiem.us2.portal.cloudappsecurity.com/#/audits?activity.id\=eq(70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce,) cs2Label=uniqueServiceAppIds cs2=APPID_AZURE cs3Label=targetObjects cs3=Azure Portal,user1,user1 cs4Label=policyIDs cs4= c6a1Label="Device IPv6 Address" c6a1=

Microsoft Cloud App Security

Microsoft Cloud App Security

Integration Points

Protocol Information Discovered Used For
SIEM Agent Logon, User creation/deletion and other Audit activity for Azure Applications including Office 365, SharePoint, OneDrive, Teams, PowerBI , Exchange Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "MS-Azure-CloudAppSec" in the Search field to see the event types associated with Microsoft Cloud App Security.

Configuring a SIEM Agent

FortiSIEM integrates with Microsoft Cloud App Security to collect alerts and activities from apps to Microsoft Cloud. As new activities and events are supported by connected apps, they become available to FortiSIEM via Microsoft Cloud App Security integration.

The integration is done via the Microsoft Cloud App Security SIEM agent. It can run on any server (including FortiSIEM). It pulls alerts and activities from Microsoft Cloud App Security and then streams them into FortiSIEM.

For details, see here.

FortiSIEM integration is accomplished in three steps:

  1. Set up a SIEM Agent in the Microsoft Cloud App Security portal.
  2. Download the SIEM agent (JAR file) and run it on a server. The agent would connect to the portal, collect logs and forward to FortiSIEM. The server could be a FortiSIEM node such as Collector.
  3. Validate that the SIEM agent is working correctly.
  4. Configure an application to connect to Microsoft Cloud App Security portal. See those events in FortiSIEM.
Step 1: Set Up a SIEM Agent in the Microsoft Cloud App Security Portal
  1. In the Cloud App Security portal, under the Settings cog, click Security extensions and then click on the SIEM agents tab.
  2. Click the plus icon to start the Add SIEM agent wizard.
  3. In the wizard:
    1. Click Start Wizard.
    2. Fill in a name.
    3. Select your SIEM format as 'Generic CEF'.
    4. In Advanced settings:
      1. Set Time Format to 'RFC 5424'.
      2. Check Include PRI.
      3. Check Include system name.
    5. Click Next.
    6. Type in the IP address or hostname FortiSIEM node receiving the events and port 514. Select TCP or UDP as the SIEM protocol. In most common situations, you would choose a FortiSIEM Collector. Click Next.
    7. Select which data types, Alerts and Activities you want to export to your FortiSIEM. We recommend choosing All Alerts and All Activities. You can use the Apply to drop-down to set filters to send only specific alerts and activities. You can click Edit and preview results to check that the filter works as expected. Click Next.
    8. The wizard will say that SIEM agent configuration is finished. Copy the token and save it for later.
    9. After you click Finish and leave the Wizard, back in the SIEM page, you can see the SIEM agent you added in the table. It will show that it's Created until it’s connected later.
Step 2: Download the SIEM agent (JAR file) and Run it on a Server
  1. In the Microsoft Download Center, after accepting the software license terms, download the .zip file and unzip it.
  2. Run the following command:
    java -jar mcas-siemagent-0.87.20-signed.jar --logsDirectory <DIRNAME> --token <TOKEN> &

    where:

    • DIRNAME (optional) is the path to the directory for agent to write debug log.
    • TOKEN is the SIEM agent token you copied in the previous Step 1 Sub-step 3.h.
Step 3: Validate that the SIEM Agent is Working Correctly

Make sure the status of the SIEM agent in the Cloud App Security portal is 'Connected'.

If the connection is down for more than two hours, then the status may show 'Connection error'. The status will be 'Disconnected' if down for more than 12 hours.

Step 4: Configure an Application to Connect to Microsoft Cloud App Security Portal

Cloud App Security currently supports the following Office 365 apps:

  • Office 365
  • Dynamics 365 CRM
  • Exchange (only appears after activities from Exchange are detected in the portal and requires you to turn on auditing)
  • OneDrive
  • PowerBI (only appears after activities from PowerBI are detected in the portal, and requires you to turn on auditing)
  • SharePoint
  • Teams (only appears after activities from Teams are detected in the portal)

See the Microsoft documentation to setup these applications.

Connecting Office 365 to Cloud App Security

Use the app connector API to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account. The Microsoft Cloud App Security connection gives you visibility into and control over Office 365 use.

For information on how Cloud App Security helps protect your Office 365 environment, see here.

For information on the prerequisites and steps to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account, see How to connect Office 365 to Cloud App Security.

Sample Events

<109>2018-05-22T04:17:28.340Z SP204 CEF:0|MCAS|SIEM_Agent|0.123.162|EVENT_CATEGORY_LOGIN|Log on|0|externalId=70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce rt=1526962648340 start=1526962648340 end=1526962648340 msg=Log on suser=user1@userfsiem.onmicrosoft.com destinationServiceName=Microsoft Azure dvc=43.254.220.13 requestClientApplication=;Windows 10;Edge 17.17134; cs1Label=portalURL cs1=https://userfsiem.us2.portal.cloudappsecurity.com/#/audits?activity.id\=eq(70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce,) cs2Label=uniqueServiceAppIds cs2=APPID_AZURE cs3Label=targetObjects cs3=Azure Portal,user1,user1 cs4Label=policyIDs cs4= c6a1Label="Device IPv6 Address" c6a1=