Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Microsoft Azure ATP

Microsoft Azure Advanced Threat Protection (ATP)

Integration Points

Protocol Information Discovered Used For
Syslog (CEF) Suspicious alerts occurring on Windows machine in Azure Security and Compliance

Configuration

FortiSIEM receives alerts via CEF formatted syslog. See here for details.

Event Types

Search for 'MS-AzureATP' in Admin > Device Support > Event Types.

Sample Event

02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a

Microsoft Azure ATP

Microsoft Azure Advanced Threat Protection (ATP)

Integration Points

Protocol Information Discovered Used For
Syslog (CEF) Suspicious alerts occurring on Windows machine in Azure Security and Compliance

Configuration

FortiSIEM receives alerts via CEF formatted syslog. See here for details.

Event Types

Search for 'MS-AzureATP' in Admin > Device Support > Event Types.

Sample Event

02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a