Microsoft Defender for Identity (Previously Microsoft Azure Advanced Threat Protection (ATP) )
Integration Points
Protocol | Information Discovered | Used For |
---|---|---|
Syslog (CEF) | Suspicious alerts occurring on Windows machine in Azure | Security and Compliance |
Event Types
In ADMIN > Device Support > Event Types, search for "MS-AzureATP" in the Search field to see the event types associated with Microsoft Defender for Identity/Microsoft Azure ATP.
Configuration
FortiSIEM receives alerts via CEF formatted syslog. See here for details.
Sample Event
02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a