Description:

This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center.


Rationale:

Security Center offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Security Center detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Cloud App Security. To benefit from these analytics, a subscription must have a Cloud App Security license.

MCAS works only with Standard Tier subscriptions.


Impact:

MCAS works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Azure Security Center incurs an additional cost per resource.


Default Value:

With the Cloud App Security license, these alerts are enabled by default.


Audit:

  1. Sign in to your Azure account.

  2. Go to Security Center

  3. Select Pricing & settings blade

  4. Click on the subscription name
  5. Select the Integrations blade
  6. Ensure setting Allow Microsoft Cloud App Security to access my data is selected
    If not follow the Implementation steps



Using Azure Command-Line Interface 2.0

Ensure the output of the below command is True

az account get-access-token --query 
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se ttings?api-version=2019-01-01' | jq '.|.value[] | select(.name=="MCAS")'|jq '.properties.enabled'



Remediation:

Pre-Requisite:

  1. An Azure Defender plan for Enhanced security plan (Azure Defender is free for the first 30 days. At the end of 30 days, if you choose to continue using the service, you’ll automatically be charged for usage).


Implementation Steps:

  1. Go to Azure Security Center

  2. Select Security policy blade

  3. Click On Edit Settings to alter the security policy for a subscription
  4. Select the Integrations blade
  5. Check/Enable option Allow Microsoft Cloud App Security to access my data
  6. Click on Save


Backout Plan:

  1. Go to Azure Security Center

  2. Select Pricing & settings blade

  3. Click on the subscription name

  4. Select the Threat Detection blade

  5. Ensure setting Allow Microsoft Cloud App Security to access my data is enabled(how we can revoke the changes)


Using Azure Command-Line Interface 2.0

Use the below command to enable Standard pricing tier for Storage Accounts

az account get-access-token --query 
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" 
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se ttings/MCAS?api-version=2019-01-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below.