Forum Discussion
Azure ATP security alerts in CEF format
But they are new alerts anyway, aren't they? But that doesn't mean they are not part of the same incident.
The gui allows you to select to be notified when A new security alert is detected and An existing security alert is updated. Why not the same for syslog messages including these fields?
MicrosoftRodrigo Carneiro in AATP the term alert and incident are the same, but for a computer based alert, additional user accounts won't open a new alert (new alert id), it will be the same alert with more data added to it (relevant user entities).
marking syslog with updates will send you updates when new entities are added I believe.
- EliOfek
Rodrigo Carneiro , Pass the ticket is a user based alert, so you get suser.
we only send samName there, no domain info indeed.
This feature was designed to alert, and provides a link to the full alert in the portal where you can see all the details. it wasn't designed to allow automation.
If you aim for automation, I suggest to go another path, if you upgraded to the new user experience with cloud app security, you have the option to get full alert data using graph API, and I am pretty sure you get can there the full ideas of both the computer and user accounts...
The syslog message can be a trigger to go to graph and get the full details from there, and then you can try and build automation on top of it.
Adding Or Tsemah from product to the thread , as he might be interested on hearing more about this automation requirement. Another example. The alert below does show the suser field, but where is the domain field?
<36>1 2020-10-04T12:24:47.624590+00:00 SERVERNAME CEF 5896 PassTheTicketSecurityAlert 0|Microsoft|Azure ATP|2.128.8682.7486|PassTheTicketSecurityAlert|Suspected identity theft (pass-the-ticket)|5|start=2020-10-04T10:09:52.9072060Z app=Kerberos suser=useraccount msg=An actor took Shang**** (Thesis Student)'s Kerberos ticket from SURFACE**** and used it on MACBOOK**** to access ***** (HTTP). externalId=2018 cs1Label=url cs1=https://vuw-production.atp.azure.com/securityAlert/b7e8337f-6157-45c0-89e2-7e95f0be28b8... cs2Label=trigger cs2=new- I've just tested it and it doesn't include any aditional field.
It does update the message according to the new information, which unfortunatelly, doesn't allow any automation.