Forum Discussion
Defender for Identity の TLS Syslog での SIEM (IBM QRadar) への連携(English follows)
Microsoftumesuisho This reference might help you :
https://learn.microsoft.com/en-us/defender-for-identity/cef-format-sa
Thank you Eli, it seems like an IP address will be put in the column, right?
Where can we find the IPs to be put in the column for each Sensors?
2-21-2018 16:19:35 Auth.Warning 192.168.0.220 1 2018-02-21T14:19:27.540731+00:00 CENTER CEF 6076 AccountEnumerationSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|AccountEnumerationSecurityAlert|Reconnaissance using account enumeration|5|start=2018-02-21T14:19:02.6045416Z app=Kerberos shost=CLIENT1 suser=LMaldonado msg=Suspicious account enumeration activity using the Kerberos protocol, originating from CLIENT1, was observed and successfully guessed Lamon Maldonado (Software Engineer). externalId=2003 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/eb6a35da-ff7f-4ab5-a1b5-a07529a89e6d cs2Label=trigger cs2=new cs3Label=shostfqdn cs3=client1.contoso.com
- EliOfekIf you are looking for the host of the sensor then yes, it's the field marked in bold in the header of the message.
- Thank you Eli,
okay, so I'd like to specify the IP of the sensors.
We can see the names of the sensors in the dashboard of the Defender for Identity console.
Where can we locate the IP of the sensors then?
