Microsoft CASB Integration Guide

This guide is for setting up your Cloud App Security Portal (CASB)

Integrating with your SIEM is accomplished in three steps:

  1. Set it up in the Cloud App Security portal.
  2. Download the JAR file and run it on your server.
  3. Validate that the SIEM agent is working.

Prerequisites

  • A standard Windows or Linux server (can be a virtual machine).
  • OS: Windows or Linux
  • CPU: 2
  • Disk space: 20 GB
  • RAM: 2 GB
  • The server must be running Java 8. Earlier versions aren't supported.

https://www.java.com/download/ie_manual.jsp

  • Transport Layer Security (TLS) 1.2+. Earlier versions aren't supported.
  • Set your firewall as described in below link:

https://docs.microsoft.com/en-us/cloud-app-security/network-requirements.

1.    Set it up in the Cloud App Security Portal

  1. In the Cloud App Security portal, under the Settings cog, select Security extensions.
  2. On the SIEM agents tab, select "add" (+), and then choose Generic SIEM.
  3. In the wizard, select Start Wizard.
  4. In the wizard, fill in a name, and Select your SIEM format and set any Advanced settings that are relevant to that format. Select Next.
  5. Type in the IP address or hostname of the Remote syslog host and the Syslog port number. Select TCP or UDP as the Remote Syslog protocol. You can work with your security admin to get these details if you don't have them. Select Next.
  6. Select which data types you want to export to your SIEM server for Alerts and Activities. Use the slider to enable and disable them, by default, everything is selected. You can use the Apply to drop-down to set filters to send only specific alerts and activities to your SIEM server. Select Edit and preview results to check that the filter works as expected. Select Next.
  7. Copy the token and save it for later. Select Finish and leave the Wizard. Go back to the SIEM page to see the SIEM agent you added in the table. It will show that it's Created until it's connected later.

Note

Any token you create is bound to the admin who created it. This means that if the admin user is removed from Cloud App security, the token will no longer be valid. A generic SIEM token provides read-only permissions to the only required resources. No other permissions are granted a part of this token.

2.    Download the JAR File and Run it on Your Server

  1. In the Microsoft Download Center, after accepting the software license terms, download the .zip file and unzip it.
  2. Run the extracted file on your server:

    java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN

Note

  • The file name may differ depending on the version of the SIEM agent.
  • Parameters in brackets [ ] are optional, and should be used only if relevant.
  • It is recommended to run the JAR during server startup.
    1. Windows: Run as a scheduled task and make sure that you configure the task to Run whether the user is logged on or not and that you uncheck the Stop the task if it runs longer than
    2. Linux: Add the run command with an &to the rc.local file. For example: java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &

Where the following variables are used:

  • DIRNAME is the path to the directory you want to use for local agent debug logs.
  • ADDRESS[:PORT] is the proxy server address and port that the server uses to connect to the internet.
  • TOKEN is the SIEM agent token you copied in the previous step.

You can type -h at any time to get help.

3.    Running the JAR as Scheduled Task

Step 1. Install java, make sure it is available from command line

You should be able to run your java jar from the bare cmd command line. Specify the full java directory like this: (This is the command used)

C:\ProgramData\Oracle\Java\javapath\java.exe -jar C:\repo\curium.jar

Step 2. Open task scheduler:

In the Start menu search bar, search for "scheduler" and "Task Scheduler" should pop up. It is buried in the control panel: Control Panel -> System And Security -> Administrative tools -> Task Scheduler.

Step 3. Make a new scheduled task:

In the left pane, right click "Task Scheduler Library". Choose: "New Basic Task". Give it any name.

Choose next. Click "Daily", (the configuration for re-runs every minute will be done later).

Choose next. Recur every 1 day. Have it start a 5 minutes from now. choose next. Click "Start a program".

Step 4. Configure your java to run:

In the "Program/script" box put the full path to your java, your path may be different. Double check with cmd command where java

C:\ProgramData\Oracle\Java\javapath\java.exe

In the "Add arguments" box put this:

For Duration choose indefinitely.

-jar C:\MCAS\mcas-siemagent-0.111.126-signed.jar --token <TOKEN>

 

Click next, click finish.

Step 5. Right click your new task for further configuration:

Right click your item -> Properties.

Choose the bubble: "Run whether user is logged in or not"

Under the "triggers" tab. Select your Daily task and choose Edit.

Step 6. Configure the repeat-task triggers

Begin the task: "On a schedule".

Choose Repeat task every: "5 minutes". Choose the enabled checkbox. Click ok. Save.

You will be prompted for your windows username and password. Add and press OK.

Step 7. Ensure it is working

Wait 5 minutes for it to run. Or force run it by right clicking -> Run.

Right click your task, choose properties. Choose "History" tab.

There should be a row there revealing when it ran. If you want to know if it completed successfully, you'll have to pipe your output to a log file.

Step 8. See if it survives a reboot

Reboot the computer, and see if it stays on. If it, does you are done.

4.    References

IBM Guide:

https://www.ibm.com/docs/en/qsip/7.4?topic=configuration-universal-cloud-rest-api-protocol

Microsoft Guide

https://docs.microsoft.com/en-us/cloud-app-security/siem