How to easily generate test Incidents in Azure Sentinel using Microsoft Cloud App Security
My role involves setting up multiple proof of concepts and demos of Azure Sentinel for clients and when doing so I’ve found it’s always useful to have a way to generate alerts to demo/test. There are many ways to generate incidents in Sentinel, but this is my preferred method for now.
Note: You must have the the “Create incidents based on Microsoft Cloud App Security alerts” analytic rule enabled to generate this Incident from Microsoft Cloud App Security. This may not be enabled if you have connected Microsoft 365 Defender and chose to turn off incident creation rules for the related products. This is because the alert generated is an MCAS_ALERT_CABINET_EVENT_MATCH_AUDIT type alert which is not yet onboarded to Microsoft 365 Defender as noted in the following MS article: Microsoft Cloud App Security alerts not imported into Azure Sentinel through Microsoft 365 Defender integration | Microsoft Docs
Setup Steps
- Create a new Activity Policy in MCAS
2) Call it “MCAS API Token Creation” and add the following filters
3) Click Create to create the MCAS policy
4) Next generate an API token to trigger an alert by clicking the Settings (cog) icon in MCAS and choosing “Security Extensions” from the menu
5) Click to add an API Token
6) Name the token and click “Generate token”
7) Your token will now be generated
8) Click Alerts in the MCAS menu to verify a new alert has been created by your activity
If you have MCAS connected to Sentinel, you will now see a corresponding incident there.
I hope you found this useful.
