Forum Discussion
Azure ATP security alerts in CEF format
Hi EliOfek, thanks for your response.
I understand the messages are dynamic, and it is great because they give you some context before you dig deep into the problem, but they only work well if you are in the AATP console. If you need them for an automated action, then they are not very helpful.
For example, in this specific case I would suspect the account was compromised and I would act to prevent further compromise originating from the account. But I can only do that automatically if I can see who did what, and although there was a user associated with that alert I couldn't do much.
It would be great to receive a syslog message where all the fields are present, regardless of the alert type. That way we could extract the fields and process them in a way that automatic remediation actions are possible.
MicrosoftRodrigo Carneiro I see your point, but how would you suggest to send an array of accounts (in some cases can be thousands) in CEF format ? The 2 available format are one machine and many users or one users with many machines.
You can know which is which by checking if you have the suser or the shost field in the payload...
I would suggest to not use an array and treat each detection as a separate syslog message, as it currently happens to other Microsoft Security products, like DATP, MCAS, etc.
The alerts in the console don't need to be affected and should continue to be dynamic as they are part of the same incident (if related), but the syslog messages would be more useful for an automated response as they would allow actions on both the suser and shost (if present).
- EliOfek
Rodrigo Carneiro But that would suggest that each syslog message is representing a new alert, while in this case, it's the same alert with multiple effected accounts...
But they are new alerts anyway, aren't they? But that doesn't mean they are not part of the same incident.
The gui allows you to select to be notified when A new security alert is detected and An existing security alert is updated. Why not the same for syslog messages including these fields?