# Splunk MSCAS Notes.md References: * https://github.mdr.defpoint.com/MDR-Content/mdr-content/wiki/CS0009:Search:MSOC---MS-CAS---Alert * [ONBOARDING: MS CAS - Jira ticket - MSOCI-890](https://jira.xdr.accenturefederalcyber.com/browse/MSOCI-890) * [Integrate Microsoft Cloud App Security with your generic SIEM server](https://docs.microsoft.com/en-us/cloud-app-security/siem) * [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/) [MCAS Conf file located in Github](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/blob/master/salt/fileroots/syslog/files/customers/afs/conf.d/010-mcas.conf) ``` sourcetype=microsoft:cas index=app_mscas sourcetype="microsoft:cas" /opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log /opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log/2019-09-11/afsspaf101.us.accenturefederal.com/afsspaf101.us.accenturefederal.com/security.log ``` start EC2 instance then build docker container is this just a HF or is it syslog-ng also? two docker containers one for syslog and one for one docker container for java and one for Splunk HF java agent to send to syslog-ng ec2 instance ms-cas t2.small install docker add java docker container add java code to container ------------------------------ Going to try `OpenJDK` because oracle java requires login to pull the images - [OpenJDK Official Image](https://hub.docker.com/_/openjdk) `docker pull openjdk` JAVA Command `java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &` Docker commands ``` cd docker image build -t customjava . docker run -d --name customjava --volume /root/java:/logs -t customjava ``` FROM openjdk:12 COPY . /usr/src/myapp WORKDIR /usr/src/myapp RUN mkdir /logs VOLUME /logs RUN echo "This is the place" > /logs/thisisit.txt CMD java -jar mcas-siemagent-0.111.126-signed.jar --token yourmom --logsDirectory /logs Because we are using a custom docker image we would like it to be stored in the docker repo. this is the headache. DUANE! MS CAS has a dumb little java agent It has to connect to MS servers, and output CAS data via syslog - it can't do anything else [ and they don't publicize the API it uses ] so, our approach was to run dumb little java agent in a docker container, on customer premises in the POP we have a POP node in smart and final called the "data collection node" (dcn) (and evolution just for crap like this) but it's become a huge yak that needs shaved to run the agent I need a container so I made a container to run the container I need to upload the container to a registry so I uploaded it to a our registry now to give the nodes on customer prem access to the registry they need AWS API credentials to give them API creds I need to be able to distribute said creds from the salt master to distribute them from the master, I need , and decided on GPG encrypted pillars before I could enable encrypted pillars I needed to clean up the salt master config files which is done so I can finish the encrypted pillars, give creds to the DCN node, connect it to the registry, get the container running