Azure ATP security alerts in CEF format

%3CLINGO-SUB%20id%3D%22lingo-sub-1727240%22%20slang%3D%22en-US%22%3EAzure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1727240%22%20slang%3D%22en-US%22%3E%3CP%3EAccording%20to%20the%20link%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fcef-format-sa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fcef-format-sa%3C%2FA%3E%26nbsp%3BAzure%20ATP%20is%20capable%20of%20sending%20events%20in%20CEF%20format%20when%20sending%20logs%20to%20a%20Syslog%20server%2C%20however%2C%20many%20events%20come%20without%20being%20formatted%20in%20that%20way.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%3A%3C%2FP%3E%3CP%3E%26lt%3B36%26gt%3B1%202020-09-18T01%3A31%3A27.936158%2B00%3A00%20SERVERNAME%20CEF%205424%20EnumerateSessionsSecurityAlert%200%7CMicrosoft%7CAzure%20ATP%7C2.126.8634.25312%7CEnumerateSessionsSecurityAlert%7CUser%20and%20IP%20address%20reconnaissance%20(SMB)%7C5%7Cstart%3D2020-09-18T01%3A28%3A38.7486210Z%20app%3DSrvSvc%20shost%3Dhostname%20msg%3Dusername%20(domain)%20on%20hostname%20enumerated%20SMB%20sessions%20on%20target_host%2C%20retrieving%20recent%20IP%20addresses%20of%2010%20accounts.%20externalId%3D2012%20cs1Label%3Durl%20cs1%3D%3CA%20href%3D%22https%3A%2F%2Fvuw-production.atp.azure.com%2Fs%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fvuw-production.atp.azure.com%2Fs%3C%2FA%3E...%20cs2Label%3Dtrigger%20cs2%3Dnew%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20can%20be%20seen%20in%20the%20redacted%20message%2C%20the%20msg%20field%20contains%20the%20username%20and%20domain%2C%20but%20there%20is%20no%20suser%20field%2C%20nor%20a%20domain%20field.%3C%2FP%3E%3CP%3EThe%20same%20problem%20afftects%20other%20alerts%20as%20well.%3C%2FP%3E%3CP%3EI%20would%20like%20to%20have%20those%20fields%20in%20a%20standardised%20way.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1728079%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1728079%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156125%22%20target%3D%22_blank%22%3E%40Rodrigo%20Carneiro%3C%2FA%3E%26nbsp%3B%2C%20Some%20alerts%20are%20computer%20based%2C%20and%20some%20are%20user%20based%2C%20so%20you%20will%20get%20either%20shost%20or%20suser.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ein%20this%20case%2C%20the%20alert%20is%20computer%20based%2C%20so%20you%20are%20getting%20shost.%3C%2FP%3E%0A%3CP%3Ethe%20message%20is%20more%20dynamic%2C%20in%20this%20case%2C%20you%20had%20only%20one%20user%20involved%20%2C%20so%20it%20mentioned%20it's%20name.%20but%20it's%20a%20private%20case%2C%20in%20the%20generic%20case%20for%20this%20alert%2C%20there%20could%20be%20more%20then%20one%2C%20in%20which%20case%20the%20dynamic%20text%20would%20say%20%223%20accounts%22%20instead%20of%20a%20specific%20name%2C%20and%20this%20is%20not%20something%20you%20want%20inside%20suser...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1732990%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1732990%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%2C%20thanks%20for%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20the%20messages%20are%20dynamic%2C%20and%20it%20is%20great%20because%20they%20give%20you%20some%20context%20before%20you%20dig%20deep%20into%20the%20problem%2C%20but%20they%20only%20work%20well%20if%20you%20are%20in%20the%20AATP%20console.%20If%20you%20need%20them%20for%20an%20automated%20action%2C%20then%20they%20are%20not%20very%20helpful.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EFor%20example%2C%20in%20this%20specific%20case%20I%20would%20suspect%20the%20account%20was%20compromised%20and%20I%20would%20act%20to%20prevent%20further%20compromise%20originating%20from%20the%20account.%20But%20I%20can%20only%20do%20that%20automatically%20if%20I%20can%20see%20who%20did%20what%2C%20and%20although%20there%20was%20a%20user%20associated%20with%20that%20alert%20I%20couldn't%20do%20much.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIt%20would%20be%20great%20to%20receive%20a%20syslog%20message%20where%20all%20the%20fields%20are%20present%2C%20regardless%20of%20the%20alert%20type.%20That%20way%20we%20could%20extract%20the%20fields%20and%20process%20them%20in%20a%20way%20that%20automatic%20remediation%20actions%20are%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1733468%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1733468%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156125%22%20target%3D%22_blank%22%3E%40Rodrigo%20Carneiro%3C%2FA%3E%26nbsp%3BI%20see%20your%20point%2C%20but%20how%20would%20you%20suggest%20to%20send%20an%20array%20of%20accounts%20(in%20some%20cases%20can%20be%20thousands)%20in%20CEF%20format%20%3F%20The%202%20available%20format%20are%20one%20machine%20and%20many%20users%20or%20one%20users%20with%20many%20machines.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20know%20which%20is%20which%20by%20checking%20if%20you%20have%20the%20suser%20or%20the%20shost%20field%20in%20the%20payload...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1736997%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1736997%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20suggest%20to%20not%20use%20an%20array%20and%20treat%20each%20detection%20as%20a%20separate%20syslog%20message%2C%20as%20it%20currently%20happens%20to%20other%20Microsoft%20Security%20products%2C%20like%20DATP%2C%20MCAS%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20alerts%20in%20the%20console%20don't%20need%20to%20be%20affected%20and%20should%20continue%20to%20be%20dynamic%20as%20they%20are%20part%20of%20the%20same%20incident%20(if%20related)%2C%20but%20the%20syslog%20messages%20would%20be%20more%20useful%20for%20an%20automated%20response%20as%20they%20would%20allow%20actions%20on%20both%20the%20suser%20and%20shost%20(if%20present).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1747314%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1747314%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156125%22%20target%3D%22_blank%22%3E%40Rodrigo%20Carneiro%3C%2FA%3E%26nbsp%3BBut%20that%20would%20suggest%20that%20each%20syslog%20message%20is%20representing%20a%20new%20alert%2C%20while%20in%20this%20case%2C%20it's%20the%20same%20alert%20with%20multiple%20effected%20accounts...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1747481%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1747481%22%20slang%3D%22en-US%22%3E%3CP%3EBut%20they%20are%20new%20alerts%20anyway%2C%20aren't%20they%3F%20But%20that%20doesn't%20mean%20they%20are%20not%20part%20of%20the%20same%20incident.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20gui%20allows%20you%20to%20select%26nbsp%3Bto%20be%20notified%20when%26nbsp%3B%3CSPAN%3EA%20new%20security%20alert%20is%20detected%20and%26nbsp%3BAn%20existing%20security%20alert%20is%20updated.%20Why%20not%20the%20same%20for%20syslog%20messages%20including%20these%20fields%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1747502%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20security%20alerts%20in%20CEF%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1747502%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156125%22%20target%3D%22_blank%22%3E%40Rodrigo%20Carneiro%3C%2FA%3E%26nbsp%3Bin%20AATP%20the%20term%20alert%20and%20incident%20are%20the%20same%2C%20but%20for%20a%20computer%20based%20alert%2C%20additional%20user%20accounts%20won't%20open%20a%20new%20alert%20(new%20alert%20id)%2C%20it%20will%20be%20the%20same%20alert%20with%20more%20data%20added%20to%20it%20(relevant%20user%20entities).%3C%2FP%3E%0A%3CP%3Emarking%20syslog%20with%20updates%20will%20send%20you%20updates%20when%20new%20entities%20are%20added%20I%20believe.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

According to the link https://docs.microsoft.com/en-us/azure-advanced-threat-protection/cef-format-sa Azure ATP is capable of sending events in CEF format when sending logs to a Syslog server, however, many events come without being formatted in that way.

 

For example:

<36>1 2020-09-18T01:31:27.936158+00:00 SERVERNAME CEF 5424 EnumerateSessionsSecurityAlert 0|Microsoft|Azure ATP|2.126.8634.25312|EnumerateSessionsSecurityAlert|User and IP address reconnaissance (SMB)|5|start=2020-09-18T01:28:38.7486210Z app=SrvSvc shost=hostname msg=username (domain) on hostname enumerated SMB sessions on target_host, retrieving recent IP addresses of 10 accounts. externalId=2012 cs1Label=url cs1=https://vuw-production.atp.azure.com/s... cs2Label=trigger cs2=new

 

As can be seen in the redacted message, the msg field contains the username and domain, but there is no suser field, nor a domain field.

The same problem afftects other alerts as well.

I would like to have those fields in a standardised way.

10 Replies
Highlighted

@Rodrigo Carneiro , Some alerts are computer based, and some are user based, so you will get either shost or suser.

 

in this case, the alert is computer based, so you are getting shost.

the message is more dynamic, in this case, you had only one user involved , so it mentioned it's name. but it's a private case, in the generic case for this alert, there could be more then one, in which case the dynamic text would say "3 accounts" instead of a specific name, and this is not something you want inside suser... 

Highlighted

Hi @Eli Ofek, thanks for your response.

 

I understand the messages are dynamic, and it is great because they give you some context before you dig deep into the problem, but they only work well if you are in the AATP console. If you need them for an automated action, then they are not very helpful.


For example, in this specific case I would suspect the account was compromised and I would act to prevent further compromise originating from the account. But I can only do that automatically if I can see who did what, and although there was a user associated with that alert I couldn't do much.


It would be great to receive a syslog message where all the fields are present, regardless of the alert type. That way we could extract the fields and process them in a way that automatic remediation actions are possible.

Highlighted

@Rodrigo Carneiro I see your point, but how would you suggest to send an array of accounts (in some cases can be thousands) in CEF format ? The 2 available format are one machine and many users or one users with many machines. 

You can know which is which by checking if you have the suser or the shost field in the payload...

Highlighted

@Eli Ofek  

I would suggest to not use an array and treat each detection as a separate syslog message, as it currently happens to other Microsoft Security products, like DATP, MCAS, etc.

 

The alerts in the console don't need to be affected and should continue to be dynamic as they are part of the same incident (if related), but the syslog messages would be more useful for an automated response as they would allow actions on both the suser and shost (if present).

Highlighted

@Rodrigo Carneiro But that would suggest that each syslog message is representing a new alert, while in this case, it's the same alert with multiple effected accounts...

Highlighted

But they are new alerts anyway, aren't they? But that doesn't mean they are not part of the same incident. 

 

The gui allows you to select to be notified when A new security alert is detected and An existing security alert is updated. Why not the same for syslog messages including these fields?

Highlighted

@Rodrigo Carneiro in AATP the term alert and incident are the same, but for a computer based alert, additional user accounts won't open a new alert (new alert id), it will be the same alert with more data added to it (relevant user entities).

marking syslog with updates will send you updates when new entities are added I believe.

 

Highlighted
I've just tested it and it doesn't include any aditional field.
It does update the message according to the new information, which unfortunatelly, doesn't allow any automation.
Highlighted

Another example. The alert below does show the suser field, but where is the domain field?


<36>1 2020-10-04T12:24:47.624590+00:00 SERVERNAME CEF 5896 PassTheTicketSecurityAlert 0|Microsoft|Azure ATP|2.128.8682.7486|PassTheTicketSecurityAlert|Suspected identity theft (pass-the-ticket)|5|start=2020-10-04T10:09:52.9072060Z app=Kerberos suser=useraccount msg=An actor took Shang**** (Thesis Student)'s Kerberos ticket from SURFACE**** and used it on MACBOOK**** to access ***** (HTTP). externalId=2018 cs1Label=url cs1=https://vuw-production.... cs2Label=trigger cs2=new

Highlighted

@Rodrigo Carneiro , Pass the ticket is a user based alert, so you get suser.

we only send samName there, no domain info indeed.

This feature was designed to alert, and provides a link to the full alert in the portal where you can see all the details. it wasn't designed to allow automation.

If you aim for automation, I suggest to go another path, if you upgraded to the new user experience  with cloud app security, you have the option to get full alert data using graph API, and  I am pretty sure you get can there the full ideas of both the computer and user accounts...
The syslog message can be a trigger to go to graph and get the full details from there, and then you can try and build automation on top of it.

Adding @Or Tsemah from product to the thread , as he might be interested on hearing more about this automation requirement.