Forum Discussion
Azure ATP security alerts in CEF format
MicrosoftRodrigo Carneiro , Some alerts are computer based, and some are user based, so you will get either shost or suser.
in this case, the alert is computer based, so you are getting shost.
the message is more dynamic, in this case, you had only one user involved , so it mentioned it's name. but it's a private case, in the generic case for this alert, there could be more then one, in which case the dynamic text would say "3 accounts" instead of a specific name, and this is not something you want inside suser...
Hi EliOfek, thanks for your response.
I understand the messages are dynamic, and it is great because they give you some context before you dig deep into the problem, but they only work well if you are in the AATP console. If you need them for an automated action, then they are not very helpful.
For example, in this specific case I would suspect the account was compromised and I would act to prevent further compromise originating from the account. But I can only do that automatically if I can see who did what, and although there was a user associated with that alert I couldn't do much.
It would be great to receive a syslog message where all the fields are present, regardless of the alert type. That way we could extract the fields and process them in a way that automatic remediation actions are possible.
- EliOfek
Rodrigo Carneiro I see your point, but how would you suggest to send an array of accounts (in some cases can be thousands) in CEF format ? The 2 available format are one machine and many users or one users with many machines.
You can know which is which by checking if you have the suser or the shost field in the payload...
I would suggest to not use an array and treat each detection as a separate syslog message, as it currently happens to other Microsoft Security products, like DATP, MCAS, etc.
The alerts in the console don't need to be affected and should continue to be dynamic as they are part of the same incident (if related), but the syslog messages would be more useful for an automated response as they would allow actions on both the suser and shost (if present).
- EliOfek
Rodrigo Carneiro But that would suggest that each syslog message is representing a new alert, while in this case, it's the same alert with multiple effected accounts...