Fortinet black logo

External Systems Configuration Guide

Microsoft Defender for Identity/Microsoft Azure ATP

Microsoft Defender for Identity (Previously Microsoft Azure Advanced Threat Protection (ATP) )

Integration Points

Protocol Information Discovered Used For
Syslog (CEF) Suspicious alerts occurring on Windows machine in Azure Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "MS-AzureATP" in the Search field to see the event types associated with Microsoft Azure Advanced Threat Protection (ATP).

Configuration

FortiSIEM receives alerts via CEF formatted syslog. See here for details.

Sample Event

02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a

Microsoft Defender for Identity (Previously Microsoft Azure Advanced Threat Protection (ATP) )

Integration Points

Protocol Information Discovered Used For
Syslog (CEF) Suspicious alerts occurring on Windows machine in Azure Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "MS-AzureATP" in the Search field to see the event types associated with Microsoft Azure Advanced Threat Protection (ATP).

Configuration

FortiSIEM receives alerts via CEF formatted syslog. See here for details.

Sample Event

02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a