Overview

Microsoft 365 Cloud App Security (MCAS) is Microsoft’s Cloud detection engine, which aggregates alerts from Microsoft’s Cloud services. See more details on the alerts here.

Integrating the alerts to Hunters will allow triaging the alerts and correlating to other related threats.

Prerequisites

Microsoft 365 Cloud App Security events are exported by Microsoft to Azure Blob Storage and consumed by Hunters from your storage. Follow the next steps to allow the export of events:

  1. Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.

    1. Enable the collection of Alert Evidence and Alert Info to the storage. You should see corresponding container names being created with data - insights-logs-advancedhunting-alertevidence, insights-logs-advancedhunting-alertinfo.

  2. Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.

    1. Share Connection string with Hunters:

      DefaultEndpointsProtocol=https;AccountName=defenderlogs;AccountKey=g6DbhGsQ4u890mngU7szCxq/jUioeWTd/gFHyhgde46gvDs3EuKNfSfVcUPQWazMlopLl6if5e7JKdGYtrvdfj==;EndpointSuffix=core.windows.net
      CODE