Forum Discussion
Azure ATP security alerts in CEF format
I would suggest to not use an array and treat each detection as a separate syslog message, as it currently happens to other Microsoft Security products, like DATP, MCAS, etc.
The alerts in the console don't need to be affected and should continue to be dynamic as they are part of the same incident (if related), but the syslog messages would be more useful for an automated response as they would allow actions on both the suser and shost (if present).
MicrosoftRodrigo Carneiro But that would suggest that each syslog message is representing a new alert, while in this case, it's the same alert with multiple effected accounts...
But they are new alerts anyway, aren't they? But that doesn't mean they are not part of the same incident.
The gui allows you to select to be notified when A new security alert is detected and An existing security alert is updated. Why not the same for syslog messages including these fields?
- EliOfek
Rodrigo Carneiro in AATP the term alert and incident are the same, but for a computer based alert, additional user accounts won't open a new alert (new alert id), it will be the same alert with more data added to it (relevant user entities).
marking syslog with updates will send you updates when new entities are added I believe.
Another example. The alert below does show the suser field, but where is the domain field?
<36>1 2020-10-04T12:24:47.624590+00:00 SERVERNAME CEF 5896 PassTheTicketSecurityAlert 0|Microsoft|Azure ATP|2.128.8682.7486|PassTheTicketSecurityAlert|Suspected identity theft (pass-the-ticket)|5|start=2020-10-04T10:09:52.9072060Z app=Kerberos suser=useraccount msg=An actor took Shang**** (Thesis Student)'s Kerberos ticket from SURFACE**** and used it on MACBOOK**** to access ***** (HTTP). externalId=2018 cs1Label=url cs1=https://vuw-production.atp.azure.com/securityAlert/b7e8337f-6157-45c0-89e2-7e95f0be28b8... cs2Label=trigger cs2=new