Fortinet black logo

External Systems Configuration Guide

Microsoft Defender for Identity/Microsoft Azure ATP

Microsoft Defender for Identity (Previously Microsoft Azure Advanced Threat Protection (ATP) )

Integration Points

Protocol Information Discovered Used For
Syslog (CEF) Suspicious alerts occurring on Windows machine in Azure Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "MS-AzureATP" in the Search field to see the event types associated with Microsoft Defender for Identity/Microsoft Azure ATP.

Configuration

FortiSIEM receives alerts via CEF formatted syslog. See here for details.

Sample Event

02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a

Microsoft Defender for Identity (Previously Microsoft Azure Advanced Threat Protection (ATP) )

Integration Points

Protocol Information Discovered Used For
Syslog (CEF) Suspicious alerts occurring on Windows machine in Azure Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "MS-AzureATP" in the Search field to see the event types associated with Microsoft Defender for Identity/Microsoft Azure ATP.

Configuration

FortiSIEM receives alerts via CEF formatted syslog. See here for details.

Sample Event

02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a