SharePoint Stuff

Posts Tagged ‘Cloud app security’

Microsoft Cloud App Security (CAS) and Squid

Written by Luke Smith. Posted in Microsoft

The below are the high level steps to configure squid syslog to Microsoft Cloud App security using the CASCollector (an ubuntu vm which runs on Azure\Hyper-V\AWS)

Install CAS Collector

Follow steps here:

Summary of commands below which are run on the CASCollector Ubuntu server

sudo -i

curl -o /tmp/ && chmod +x /tmp/; /tmp/

(echo cb83b3f208347603e38ea2816c7503ec257159001225001c2b8efa6e06f49951) | docker run –name CASLogCollector -p 514:514/udp -p 21:21 -p 20000-20099:20000-20099 -e “PUBLICIP=’′” -e “PROXY=” -e “SYSLOG=true” -e “” -e “COLLECTOR=CASLogCollector” –security-opt apparmor:unconfined –cap-add=SYS_ADMIN –restart unless-stopped -a stdin -i microsoft/caslogcollector starter

sudo docker logs UKADLogCollector

Confirm it is running

Install IP Traffic monitor (to review incoming syslogs)

On the CASCollector Ubuntu server
Sudo apt-get install iptraf

Setup SQUID (note squid 2.7 at minimum is required for syslog support)

Open Squid.config and make sure the following 2 entries exist

access_log C:/ClientSiteProxy/var/logs/access.log squid
access_log udp:// squid

Save the file and then restart the squid service

The “squid” value at the end of the path sets the format to native, Microsoft CAS (out of the box) supports Native and Common, customised formats can be created but we are keeping this simple.

Make sure the CAS data source is selected with the format Squid (Native)


Review “sudo iptraf” network traffic and confirm you can see the incoming UDP traffic on the log collector
Review the governance logs from the CAS portal (gear icon > governance log)
Install a separate syslog receiver test tool (confirm syslog traffic is appearing)
Install a separate syslog transmitter test tool (confirm syslog udp traffic is appearing)

NB: this article relates to squid 2.7 or above and Symantec client site proxy (was known as messagelabs)

Microsoft Cloud App Security (MCAS) Q&A

Written by Luke Smith. Posted in Microsoft

Q: How quick can the MACS log collector ingest data
A 50GB\hr, main limitations are bandwidth and processing can be overcome by increasing the compute\bandwidth\adding more collectors
Q: What happens is the MCAS log collector can’t process the data quick enough
A: Data is dropped (DD to confirm), adding more collectors are recommended
Q: Do you need a MCAS log collector per device
A: no can use the same one
Q: Can I add more MCAS log collectors
A: Yes (DD to confirm if they can be load balanced, I think they can but couldn’t find an article
Q: What do I need to do to protect my end users when using the MCAS Proxy
A: Need devices to be Azure AD Joined, as it uses conditional access
Q: Does the MCAS proxy work with non-Windows 10 devices
A: Yes using conditional access from MDM for macOS, Android and iOS – Windows 8.1 or below TBC
Q: If the details of a cloud vendor is in correct how can these be updated
A: Microsoft Support Request from the portal
Q: Do you need to license every user for MCAS to view the activity
A: Not for proxy\firewall logs
Q: Do you need to licenses every user for MCAS is you need to control access using the proxy
A: Yes
Q: Can we create our own application and vendor classification
Q: Can we integrate MCAS with a SIEM
A: Yes
Q: Can we integrate MCAS and ATP (Defender and Office 365) together
Q: Can we integrate AIP with MAS
A: Yes

Useful Links: