infrastructure-notes/Splunk MSCAS Notes.md

Splunk MSCAS Notes.md

References:

• https://github.mdr.defpoint.com/MDR-Content/mdr-content/wiki/CS0009:Search:MSOC---MS-CAS---Alert
• ONBOARDING: MS CAS - Jira ticket - MSOCI-890
• Integrate Microsoft Cloud App Security with your generic SIEM server
• Splunk Add-on for Microsoft Cloud Services

MCAS Conf file located in Github

sourcetype=microsoft:cas
index=app_mscas sourcetype="microsoft:cas"

/opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log
/opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log/2019-09-11/afsspaf101.us.accenturefederal.com/afsspaf101.us.accenturefederal.com/security.log

start EC2 instance then build docker container is this just a HF or is it syslog-ng also? two docker containers one for syslog and one for one docker container for java and one for Splunk HF

java agent to send to syslog-ng

ec2 instance ms-cas t2.small install docker add java docker container add java code to container

---

Going to try OpenJDK because oracle java requires login to pull the images - OpenJDK Official Image

docker pull openjdk

JAVA Command

java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &

Docker commands

cd 
docker image build -t customjava .
docker run -d --name customjava --volume /root/java:/logs -t customjava

FROM openjdk:12 COPY . /usr/src/myapp WORKDIR /usr/src/myapp RUN mkdir /logs VOLUME /logs RUN echo "This is the place" > /logs/thisisit.txt CMD java -jar mcas-siemagent-0.111.126-signed.jar --token yourmom --logsDirectory /logs

Because we are using a custom docker image we would like it to be stored in the docker repo. this is the headache.

DUANE! MS CAS has a dumb little java agent It has to connect to MS servers, and output CAS data via syslog - it can't do anything else [ and they don't publicize the API it uses ] so, our approach was to run dumb little java agent in a docker container, on customer premises in the POP

we have a POP node in smart and final called the "data collection node" (dcn) (and evolution just for crap like this) but it's become a huge yak that needs shaved to run the agent I need a container so I made a container to run the container I need to upload the container to a registry so I uploaded it to a our registry now to give the nodes on customer prem access to the registry they need AWS API credentials to give them API creds I need to be able to distribute said creds from the salt master to distribute them from the master, I need , and decided on GPG encrypted pillars before I could enable encrypted pillars I needed to clean up the salt master config files which is done so I can finish the encrypted pillars, give creds to the DCN node, connect it to the registry, get the container running