❓ FAQ
Yes, you can run both versions of STAT in the same subscription. STATv1 will continue to work. However, STATv2 has improved performance and additional features you might want to consider.
There is no upgrade path. The existing playbooks will continue to function, but you will need to replace the STATv1 actions by STATv2 actions or create a new playbook from scratch that uses STATv2.
During the deployment you are being asked to provide the Microsoft Defender for Cloud Apps URL (formally known as MCAS). You can find this URL from the Defender portal (https://security.microsoft.com) in the Settings section.
Select Cloud apps and you will see the API URL in the About section.
You can enter a bogus string in the wizard to validate the deployment. Note that you will then not be able to call the Microsoft Defender for Cloud Apps module.
When your Sentinel playbook is saved in a different resource group than your STATv2 deployment, the Logic App designer will prompt you for a function code before customizing your step:
You can enter the name you want (it will be use to identify the connection of the connectors in the logic app code and saved as an API connection in your current resource group). For the code, you can find it in the STATv2 function resource under Overview > Functions tab > modules > :
You can copy the value of the key directly into your clipboard and then paste it in the Function code field of the connector. Note that once you have done that one time in your designer, you will no longer be prompted for future STATv2 calls for all playbooks located in the same resource group.
Important
STAT has only been tested and verified to work in Commercial and GCC environment. GCC-H and DoD have not been tested.
When using STAT in another cloud verify you are using the correct endpoints in the environment variables of the STAT function app. At this time STAT will not deploy in DoD due to the lack of availability of the Azure functions consumption plan for Linux.
| Environment Variable | Value |
|---|---|
| ARM_ENDPOINT | management.azure.com |
| GRAPH_ENDPOINT | graph.microsoft.com |
| LOGANALYTICS_ENDPOINT | api.loganalytics.io |
| MDE_ENDPOINT | api.securitycenter.microsoft.com |
| M365_ENDPOINT | api.security.microsoft.com |
| Environment Variable | Value |
|---|---|
| ARM_ENDPOINT | management.azure.com |
| GRAPH_ENDPOINT | graph.microsoft.com |
| LOGANALYTICS_ENDPOINT | api.loganalytics.io |
| MDE_ENDPOINT | api-gcc.securitycenter.microsoft.us |
| M365_ENDPOINT | api-gcc.security.microsoft.us |
| Environment Variable | Value |
|---|---|
| ARM_ENDPOINT | management.usgovcloudapi.net |
| GRAPH_ENDPOINT | graph.microsoft.us |
| LOGANALYTICS_ENDPOINT | api.loganalytics.us |
| MDE_ENDPOINT | api-gov.securitycenter.microsoft.us |
| M365_ENDPOINT | api-gov.security.microsoft.us |
| AZURE_AUTHORITY_HOST | login.microsoftonline.us |
| Environment Variable | Value |
|---|---|
| ARM_ENDPOINT | management.usgovcloudapi.net |
| GRAPH_ENDPOINT | dod-graph.microsoft.us |
| LOGANALYTICS_ENDPOINT | api.loganalytics.us |
| MDE_ENDPOINT | api-gov.securitycenter.microsoft.us |
| M365_ENDPOINT | api-gov.security.microsoft.us |
| AZURE_AUTHORITY_HOST | login.microsoftonline.us |