Azure ATP security alerts in CEF format

Question

According to the link&nbsp;https://docs.microsoft.com/en-us/azure-advanced-threat-protection/cef-format-sa&nbsp;Azure ATP is capable of sending events in CEF format when sending logs to a Syslog server, however, many events come without being formatted in that way.&nbsp;For example:&lt;36&gt;1 2020-09-18T01:31:27.936158+00:00 SERVERNAME CEF 5424 EnumerateSessionsSecurityAlert 0|Microsoft|Azure ATP|2.126.8634.25312|EnumerateSessionsSecurityAlert|User and IP address reconnaissance (SMB)|5|start=2020-09-18T01:28:38.7486210Z app=SrvSvc shost=hostname msg=username (domain) on hostname enumerated SMB sessions on target_host, retrieving recent IP addresses of 10 accounts. externalId=2012 cs1Label=url cs1=https://vuw-production.atp.azure.com/s... cs2Label=trigger cs2=new&nbsp;As can be seen in the redacted message, the msg field contains the username and domain, but there is no suser field, nor a domain field.The same problem afftects other alerts as well.I would like to have those fields in a standardised way.

eliofek · Answer

Rodrigo Carneiro&nbsp;, Some alerts are computer based, and some are user based, so you will get either shost or suser.
&nbsp;
in this case, the alert is computer based, so you are getting shost.
the message is more dynamic, in this case, you had only one user involved , so it mentioned it's name. but it's a private case, in the generic case for this alert, there could be more then one, in which case the dynamic text would say "3 accounts" instead of a specific name, and this is not something you want inside suser...&nbsp;

rodrigo carneiro · Answer

Hi&nbsp;EliOfek, thanks for your response.&nbsp;I understand the messages are dynamic, and it is great because they give you some context before you dig deep into the problem, but they only work well if you are in the AATP console. If you need them for an automated action, then they are not very helpful.For example, in this specific case I would suspect the account was compromised and I would act to prevent further compromise originating from the account. But I can only do that automatically if I can see who did what, and although there was a user associated with that alert I couldn't do much.It would be great to receive a syslog message where all the fields are present, regardless of the alert type. That way we could extract the fields and process them in a way that automatic remediation actions are possible.

eliofek · Answer

Rodrigo Carneiro&nbsp;I see your point, but how would you suggest to send an array of accounts (in some cases can be thousands) in CEF format ? The 2 available format are one machine and many users or one users with many machines.&nbsp;
You can know which is which by checking if you have the suser or the shost field in the payload...

rodrigo carneiro · Answer

EliOfek&nbsp;&nbsp;I would suggest to not use an array and treat each detection as a separate syslog message, as it currently happens to other Microsoft Security products, like DATP, MCAS, etc.&nbsp;The alerts in the console don't need to be affected and should continue to be dynamic as they are part of the same incident (if related), but the syslog messages would be more useful for an automated response as they would allow actions on both the suser and shost (if present).

eliofek · Answer

Rodrigo Carneiro&nbsp;But that would suggest that each syslog message is representing a new alert, while in this case, it's the same alert with multiple effected accounts...

Forum Discussion

Azure ATP security alerts in CEF format

10 Replies