Forum Discussion
Solved
Do Microsoft Defender for Identity SIEM logs conform to CEF format?
https://docs.microsoft.com/en-us/defender-for-identity/cef-format-sa page says "Alerts and events are in the CEF format." CEF spec Version 25 (I used one from that page: https://community.microfo...
- Effectively, yes, if you want to use a "pure" CEF format, then RFC3164 will work better for you.
It's main disadvantage is that it does not support Unicode, only ASCII.
And yes, the technical writes of ATA used the RFC3164 for samples there (or a mix), but I advise not to rely on ATA docs for MDI reference, as things often work differently between the two and it might be confusing.
Thank you for the reply!
So it seems to me that when MDI logs are sent in RFC3164, it conforms to CEF, while when MDI logs are sent in RFC5424, it does not (because "CEF:" part is omitted). Is that correct?
At the same time, it looks like https://docs.microsoft.com/en-us/advanced-threat-analytics/cef-format-sa has examples that are in RFC5424, while "CEF:" part of the header is present, so it conforms to CEF format.
EliOfek
Microsoft
MicrosoftEffectively, yes, if you want to use a "pure" CEF format, then RFC3164 will work better for you.
It's main disadvantage is that it does not support Unicode, only ASCII.
And yes, the technical writes of ATA used the RFC3164 for samples there (or a mix), but I advise not to rely on ATA docs for MDI reference, as things often work differently between the two and it might be confusing.
It's main disadvantage is that it does not support Unicode, only ASCII.
And yes, the technical writes of ATA used the RFC3164 for samples there (or a mix), but I advise not to rely on ATA docs for MDI reference, as things often work differently between the two and it might be confusing.