Public repo for CloudAppSecurityDocs-pr
License: Creative Commons Attribution 4.0 International
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
You've found one of the GitHub repositories that houses the source for content published to Microsoft Learn, home of Microsoft technical content.
![prmerger-automator[bot] avatar](https://avatars.githubusercontent.com/u/22479449?v=4 "prmerger-automator[bot]")
We recently had the relevant DNS names allowed through our perimeter network security devices, but found that some MCAS proxy services are redirecting through names not listed. For example, we're seeing lots of redirects through *.us2.cas.ms, but there is no mention of any *.cas.ms DNS names on this page. Can you update the list as appropriate?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
My CAS Docker is running. I have uploaded hundreds of logs via FTP to it but the Cloud App Data Source still shows 0 logs uploaded. There is nothing blocking the CAS from sending logs and I occasionally see an HTTPS packet going to the Microsoft server .us.portal.cloudappsecurity.com.
Instructions are poor. What does "Configure your network firewalls and proxies to periodically export logs to the dedicated Syslog port of the FTP directory" mean? I'm not using Syslog I'm using FTP and how can anyone send logs to the "Syslog port of the FTP directory?" What does that mean? Syslog, FTP, and Directories are 3 different things which cannot be interconnected in the way described by that sentence.
And the example provided makes no sense either:
BlueCoat_HQ - Destination path: <<machine_name>>\BlueCoat_HQ
So am I supposed to FTP to <<machine_name>> then cd in to \BlueCoat_HQ before uploading files? That directory does not exist and I've even tried creating it and putting logs in there to no avail.
The documentation states that enabling user enrichment might result in user duplication. Is there a way to identify if this will occur, is there away to fix it if it does occur and is there a work around?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Please provide a URL for the Cloud App Security portal which is referenced in this document. I have no idea where it is and efforts to Google for it where challenging. I finally found this:
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-cas-overview
which points me to: https://protection.office.com
Why not hyperlink the term to the above URL (or at least parenthetically give the URL).
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
If you connect Office 365 as one app, should you also connect Exchange Online and SharePoint Online apps separately?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Does the MCAS have the ability to connect multiple Azure Tenants/Instances? The documentation is really lacking in this area. If it is possible how does one accomplish the multiple Azure Tenant Connections?
[In the Cloud App Security portal I have followed the Instructions provided in this Microsoft Doc to configure continuous logs to be sent from my SonicWALL (syslog) to my Log Collector. The log collector shows 'Connected' but is not receiving data. (See attached screenshot)
I have triple checked my settings in the SonicWALL and my Ubuntu server.
I can confirm logs are flowing from the SonicWALL to the Ubuntu server but, how can I check if they are reaching the Cloud App Security portal?
I did notice that the log collector configuration script had a line in that caught my eye: "SYSLOG=false" Should this be changed to "true"?
Note: we do not block outbound traffic]
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Is there some documentation on what is available with such integration with ServiceNow?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I don't see to have an option to remove applications from Conditional Access App Control apps? is this possible if not it should be reflected in the docs.
in general how to connect multiple instances of the same product
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Despite of me having an admin id.. I still cant see these settings.. why?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
For the step below you failed to explain how to get there. We believe you have to Go under Information Protection > Files > Enable File Monitoring , and then you still need to explain how you get from there to the screenshot you show.
The text below is copied from the relevant section in this document, for your reference:
Apply labels directly to files
From the Files page under Investigate, select the file you want to protect. Click the three dots at the end of the file's row then choose Apply classification label.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
when I try to run the final docker command I get the following:
pull access denied for microsoft/caslogcollector, repository does not exist or may require 'docker login'.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hi,
This document discusses Forcepoint and Symantec DLP integration, how about generic DLP integration REQMOD ? What kind of ICAP server response is required to indicate HTTP/HTTPS Block ? It would be of great help if Allow and Block ICAP responses could be documented here .
Thanks.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Awesome
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
As there is a feature to scan existing files, we want to scan ALL files (in the selected location) In the note you say that we have to use content inspection to scan existing files. When we chose that option we are asked to define an "expression" for matching the file. Since I want to match all files and there is no "all files" option I guess that the star (*) could be the regular expression, but you do not explain the regular expression syntax. Maybe it is a standard regular expression syntax. If so please link to a document that explains this syntax.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
All I can tell is it disables sign-in to the application in Azure AD Enterprise Applications.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Once a group is synced for an app. What is the sync intervals afterwards? How often are group in CAS updated for changes made to the group in AAD?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
How in the name of Jesus do I get PowerShell build version 16000?
Cheers
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
remove them from the drive / sharepoint or remove the sharing???
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The link that says "Log collector:" simply reloads the same page.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
As you note: "Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings or your firewall/proxy."
Which is correct, you would in most cases need to trust the certificate presented by the syslog server.
In this case, it is a self signed certificate, and I get this error when I try to import it: "Import of CAS syslog failed. Only self signed CA certificates can have identical subject and issuer fields."
Where is the certificate located, and how do I replace it with a certificate signed by our own CA?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I do understand that Microsoft creates features that will entice the customer to buy more features. That is OK, as long as it is clear on every path what version/license is needed to be able to do what is recommended in an article such as this one.
So please be crystal clear as to what E level of Office 365 is needed for this to be available.
Thank you
Bart
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I guess command to import log collector configuration should be run in elevated command prompt? It would be good to include this information in the article.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
In the last Note it should be Information not Identity
//Anders Olsson
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
In the bottom of this article, you have a link "Premier customers can also choose Cloud App Security directly from the Premier Portal". What choise do you mean can be done for Cloud App Security in Premier Portal? When clicking on the link, you end up at your start page in the portal. No specific information about CAS. I have got this Question from a Customer, please review it and clarify. Thanks
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The iboss Secure Cloud Gateway is missing from the supported data attributes table
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Could we get a RSS feed or twitter account update for when new content is posted? (Or is there and I can't find it?)
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hi,
Is there a way to update certificates in the same way as you can on an Ubuntu Docker machine like documented here?
https://docs.microsoft.com/en-us/cloud-app-security/troubleshoot-docker
Rich
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
What does "Configure your network firewalls and proxies to periodically export logs to the dedicated Syslog port of the FTP directory" mean? What is the Syslog port of the FTP directory???
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hi, While I appreciate we can get demo logs of what the Cisco ASA should look like to be ingested correctly - IT would be really useful to turn this problem around from the other point and help explain HOW the process works at a Cisco ASA level to get the logs output in that same format,
Thanks in advance
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
In the table above using N/A or footnotes below the table would make it easier to read.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Regarding the note, 'Continuous report data is analyzed twice a day.'
Is this configurable?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I don't have such toggle within my WDATP console, I can see Intune, O365, but no sign of MCAS.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hi, please can you confirm where the 3 dots that were available for data management reports have been moved to? The reports are no longer available when I access my demo tenant and they were previously. Thank you. Antonio.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Have anyone had any luck getting this running using Docker Compose versus Docker run?
I was able to translate most of the run command into a compose file, but is stuck at the "echo <key> | starter" part. (compose file WIP below)
Looking at the shell script "starter" (/etc/adallom/scripts/starter) if we could check if the TOKEN variable exists as an environmental variable then we could pass this token by using an environment option in our Docker Compose script (or as a " -e 'TOKEN=xxxxx' " flag in the Docker run command).
Right now the only way I got it working is by logging in to the container and running "starter <<< <key>" which is not optimal as it has to be re-run each time the container is rebuilt.
#!/bin/bash
first_run() {
echo "Setting environment"
read TOKEN
#!/bin/bash
first_run() {
echo "Setting environment"
if [ -z "$TOKEN" ]
then
read TOKEN
fi
version: '3.5'
services:
caslogcollector:
image: microsoft/caslogcollector:latest
container_name: Log-Collector
restart: always
ports:
- '21:21'
- '601:601/tcp'
- '20000-20099:20000-20099'
environment:
- PUBLICIP=xx.xx.xx.xx
- PROXY=
- SYSLOG=true
- CONSOLE=xxxxxx.us2.portal.cloudappsecurity.com
- COLLECTOR=Log-Collector
security_opt:
- apparmor:unconfined
cap_add:
- SYS_ADMIN
stdin_open: true
tty: true
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The URL described in this article (https://adaprodconsole.blob.core.windows.net/public-files/MCASInstallDocker.sh) , used to download the MCAS Docker installer is not valid, the resource has been removed. Please fix accordingly.
Is it required to have Docker ID to deploy log collector? If yes it would be good to include it in documentation
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
It is never mentioned on how to deploy the appliance, you go to Azure and appear to deploy the "Azure AD Cloud App Discovery" appliance
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
What determines why an app is listed on the Apps (select an App) dropdown control. Please add an explanation of this to the documentation.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I'm trying to download this doc as a PDF using the handy "download PDF" link, but it just errors and will not open as a PDF. Any downloads are 0 bytes in size. Any suggestions or assistance would be greatly appreciated.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I was wondering about the prerequisites of having build 1809 of Windows 10 to integrate MCAS with WDATP.
Is this correct? I believe I have seen this feature being advertised long before 1809 was ever in the making, also it feels a bit odd that this feature is possible until you use a version of windows 10 that hasn't even reached CBB yet.
If it is correct, what is that make need for 1809 for the integration?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Under "How It Works" -> "Block on download" it is mentioned that this functionality can block download of sensitive documents. What are considered sensitive documents? Is that all documents, only documents identified by Security and Compliance Center / Cloud App Security, or something else? Appreciate any clarity you can provide.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Please add information on the specific licensing needed to use this feature
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
"Make sure that you choose apps that are supported by Conditional Access App Control. Conditional Access App Control supports apps that are configured with SAML and Open ID Connect apps with single sign-on in Azure AD."
This in not true anymore, am I correct?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
despite of me having an admin id.. I am not able to see the settings section as shown in snapshot.. why?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The document suggest that we will be prompted for the p12 certificate password at upload, but that does not appear to be the case. Is there a step missing?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Microsoft support and I spent hour trying to find the "check the Content inspection option". We have now found it and hope you can update this document to explain this.
Under the section "Automatically label files" you have a Note that reads:
Automatic scan does not scan existing files until they are modified again. To scan existing files for Azure Information Protection classification labels, you must have at least one Content inspection File policy. If you have none, create a new File policy, delete all the preset filters, check the Content inspection option. Then, under Content inspection, click Include files that match a preset expression and select any predefined value, and save the policy. This enables content inspection, which automatically detects Azure Information Protection classification labels.
As we could not find that option, here is revised wording proposal:
Automatic scan does not scan existing files until they are modified again. To scan existing files for Azure Information Protection classification labels, you must have at least one Content inspection File policy. If you have none, create a new File policy, delete all the preset filters, *Choose Inspection Method: Built in DLP: Then set Content Inspection Enabled. Then, under Content inspection, click Include files that match a preset expression and select any predefined value, and save the policy. This enables content inspection, which automatically detects Azure Information Protection classification labels.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Guys, this makes the whole idea of Docker deployment impossible.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
This statement is not clear to me: “Before the installation completes, you will have to paste in the run command you copied earlier.” I am not sure which run command is meant here. Is it command to restart LogCollectorInstaller.ps1 script?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
