search
WebsiteBlogLogin

Collect data from Microsoft Defender for Cloud Apps

circle-info

See the changelog of the HTTP Listener here.

hashtag
Overview

The following article outlines a basic data flow from Microsoft Defender for Cloud Appsarrow-up-right to the Onum HTTP Listener.

hashtag
Prerequisites

  • Administrative access to the Microsoft Defender for Cloud Apps portal

Contact Onum to get the required JWT token, which will be needed on the Listener setup.

You can also contact us if you cannot generate the required TLS certificates. Note that these certificates must be signed by a recognized Certificate Authority (CA). Self-signed certificates are not accepted.

hashtag
Defender for Cloud Apps Setup

Microsoft Defender for Cloud Apps (MDCA) can be configured to send logs to Onum. Here's how to set it up:

  1. Access Microsoft Defender for Cloud Appsarrow-up-right

  2. Go to Settings > Security extensions

  • Select SIEM agents tab

  • Click Add SIEM agent

3. Set Up the SIEM Agent

  • Choose Generic SIEM as the SIEM type

  • Enter a name for the connection (e.g., Onum Integration)

  • Select the data types you want to send:

    • Alerts

    • Activities

    • Discovery data (if applicable)

  • Configure the remote SIEM server:

    • Protocol: HTTPS

    • Host: Your Onum domain (e.g., https://[your-onum-tenant].onum.ai/api/ingest)

    • Port: 443 (standard HTTPS)

    • URL path: Your configured path (e.g., /ingest/mdca)

  1. Configure Authentication

  • Select the appropriate authentication method. In this case, we will exemplify the bearer method.

  • Specify the log format (JSON is recommended)

hashtag
Onum Setup

1

Log in to your Onum tenant and click Listeners > New listener.

2

Double-click the HTTP Listener.

3

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

4

In the Socket section, enter the required Port 443 (standard HTTPS).

5

In the TLS configuration section, enter the required certificates (Certificate, Private key and CA chain).

circle-exclamation

Certificates must be signed by a recognized Certificate Authority (CA). Self-signed certificates are not accepted.

6

Choose No client certificate in the Client authentication method field.

7

In the Authentication section, choose Bearer as the Authentication Type. Open the Token Secret field and click New secret to create a new one:

  • Give the token a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the JWT token you received. Remember that the token will be added in the Zscaler configuration.

  • Click Save.

circle-info

Learn more about secrets in Onum in this article.

8

You can now select the secret you just created in the Token Secret field.

9

In the Endpoint section, choose POST as the HTTP Method. In the Request path field, you're creating an endpoint where MDCA will send data.

hashtag
Standard Format

10

In the Message extraction section, choose Single event as body (full) in the Strategy field. You can leave the Extraction info field empty.

11

In the General behavior section, set Propagate headers strategy to Allow.

12

Configure the rest of settings as required.

13

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

circle-info

Learn more about labels in this article.

Click Create listener when you're done.

PreviousCollect data from CloudflareNextCollect data from Microsoft Defender for Identity

Last updated

Was this helpful?