Microsoft Defender for Identity (Previously Microsoft Azure Advanced Threat Protection (ATP) )
Integration Points
Protocol | Information Discovered | Used For |
---|---|---|
Syslog (CEF) | Suspicious alerts occurring on Windows machine in Azure | Security and Compliance |
Event Types
In ADMIN > Device Support > Event Types, search for "MS-AzureATP" in the Search field to see the event types associated with Microsoft Azure Advanced Threat Protection (ATP).
Configuration
FortiSIEM receives alerts via CEF formatted syslog. See here for details.
Sample Event
02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a