4 years ago · 5c86974491
--- a/Notes.md
+++ b/Notes.md
@@ -2,20 +2,22 @@
 
				 
			
 
				 
			
 
				 References:
			
 
				-https://github.mdr.defpoint.com/MDR-Content/mdr-content/wiki/CS0009:Search:MSOC---MS-CAS---Alert
			
 
				-https://jira.xdr.accenturefederalcyber.com/browse/MSOCI-890
			
 
				-https://docs.microsoft.com/en-us/cloud-app-security/siem
			
 
				-https://splunkbase.splunk.com/app/3110/
			
 
				 
			
 
				+ * https://github.mdr.defpoint.com/MDR-Content/mdr-content/wiki/CS0009:Search:MSOC---MS-CAS---Alert
			
 
				+ * [ONBOARDING: MS CAS - Jira ticket - MSOCI-890](https://jira.xdr.accenturefederalcyber.com/browse/MSOCI-890)
			
 
				+ * [Integrate Microsoft Cloud App Security with your generic SIEM server](https://docs.microsoft.com/en-us/cloud-app-security/siem)
			
 
				+ * [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/)
			
 
				 
			
 
				-https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/blob/master/salt/fileroots/syslog/files/customers/afs/conf.d/010-mcas.conf
			
 
				 
			
 
				+[MCAS Conf file located in Github](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/blob/master/salt/fileroots/syslog/files/customers/afs/conf.d/010-mcas.conf)
			
 
				+
			
 
				+```
			
 
				 sourcetype=microsoft:cas
			
 
				 index=app_mscas sourcetype="microsoft:cas"
			
 
				 
			
 
				 /opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log
			
 
				 /opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log/2019-09-11/afsspaf101.us.accenturefederal.com/afsspaf101.us.accenturefederal.com/security.log
			
 
				-
			
 
				+```
			
 
				 
			
 
				 
			
 
				 start EC2 instance
			
@@ -33,18 +35,20 @@ add java docker container
 
				 add java code to container
			
 
				 
			
 
				 ------------------------------
			
 
				-Going to try openjdk because oracle java requires login to pull the images
			
 
				-https://hub.docker.com/_/openjdk
			
 
				-docker pull openjdk
			
 
				+Going to try `OpenJDK` because oracle java requires login to pull the images - [OpenJDK Official Image](https://hub.docker.com/_/openjdk)
			
 
				+
			
 
				+`docker pull openjdk`
			
 
				 
			
 
				 JAVA Command
			
 
				-java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &
			
 
				+
			
 
				+`java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &`
			
 
				 
			
 
				 Docker commands
			
 
				+```
			
 
				 cd 
			
 
				 docker image build -t customjava .
			
 
				 docker run -d --name customjava --volume /root/java:/logs -t customjava
			
 
				-
			
 
				+```
			
 
				 
			
 
				 FROM openjdk:12
			
 
				 COPY . /usr/src/myapp