Using Microsoft MCAS Effectively
How to Investigate Cloud Incidents in Microsoft MCAS
Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) service that manages security activity in the cloud. When security analysts see cybersecurity alerts from MCAS, it can be often confusing to investigate these alerts because of the user interface (UI) design. Instead of seeing traditional alert summaries, they will see an activity log like the one in this example image.
The activity log takes activity from all the different cloud apps identified by MCAS and presents those logs as activity logs in a timeline. Security analysts can use an activity log in MCAS instead of going through the logs of each cloud app to determine what happened during an incident.
In this blog, we show how an analyst can go over an alert in MCAS using the investigation phase of CyberMSI’s incident management approach. By using this methodology and an alert log, an analyst can finish their multi-cloud app investigation while only having to use one UI.
Go Through the Alert Description
The title and the alert description describe an impossible travel incident that happened while using 3 different cloud apps. The user that had the impossible travel is also an Office365 Administrator, which is an important detail to know if their account is compromised somehow.
Create a Timeline with the Activity Log
The analyst can use the timestamps in the activity log to create a timeline of what happened. They can also use the columns of the activity log to answer some of the most important investigation questions like “who”, “where”, and “what happened”.
Who: The “User” column has the name of the AAD user account that is having the impossible travel issue.
Where: The “Location” column has the physical address, the “IP Address” column has the network address, and the “App” column has the app that the impossible travel activity happened on.
What Happened: The “Activity” column has the titles of the activity logs that caused this alert. The titles can give the analyst a brief description about what happened, but they will need to expand the activity logs to see more about what happened.
Activity from the US IP Address
An analyst can expand any of the activity logs to see more information about their activity. The analyst started by going through the activity from the United States. After looking through the activity from that country, they discovered that an anonymous proxy server from Georgia accessed a JPG file from the organization’s SharePoint.
Activity from the Pakistan IP Address
The analyst went through the activity from Pakistan and discovered a login to Office365 followed by using their Outlook mail account. There are no indicators of using an anonymous proxy or any other suspicious activity that may indicate a compromise.
Triage
The analyst was able to find enough information to finish piecing together what had happened during the impossible travel incident, and they were able to do it in a timely manner because all the cloud app security logs were in one central location. The analyst was able to determine that this is most likely a medium severity true positive because the United States logon was using an anonymous proxy that had not been seen before by this user. The analyst would have to contact someone associated with the user to confirm that this is an incident before continuing with further steps.
We will continue to share best practices and lessons learned in future posts on using MCAS in customer environments. The cloud app environment may continue to evolve, but the underlying cloud app log analysis will always be useful for keeping information organized during investigations.
In closing, consider these three questions when using MCAS in your organization:
- How could we benefit from having a CASB solution like MCAS?
- Do our analysts know what to do with cloud app security logs when they get them?
- Are our cloud apps registered with MCAS, and if they are not how can we integrate them?