Jan 10 2023 12:22 AM
お世話になっております。
Defender for Identity のログを TLS Syslog で SIEM (IBM QRadar on Cloud) へ連携を試みています。
QRoC側:https://www.ibm.com/docs/en/qradar-on-cloud?topic=overview-sending-tls-syslog-data-qradar-console
Defender for Identity側:https://learn.microsoft.com/en-us/defender-for-identity/notifications#syslog-notifications
Syslog ペイロード先頭に付与される、ホスト名/IPに該当するカラムにはセンサー名が入る認識ですが正しいでしょうか。
We're trying to send Microsoft Defender logs to QRadar on Cloud (SaaS) with TLS Syslog protocol.
QRadar on Cloud: https: //www.ibm.com/docs/en/qradar-on-cloud?topic=overview-sending-tls-syslog-data-qradar-console
Defender for Identity: https://learn.microsoft.com/en-us/defender-for-identity/notifications#syslog-notifications
We have to identify the strings which are in the column in the head of the payload, in which usually IP/hostname is filled.
I suppose “Sensor Name“ listed in the MS Defender for Identity dashboard will be the one. Is that correct?
Jan 10 2023 01:49 AM
@umesuisho This reference might help you :
https://learn.microsoft.com/en-us/defender-for-identity/cef-format-sa
Jan 10 2023 01:59 AM
Thank you Eli, it seems like an IP address will be put in the column, right?
Where can we find the IPs to be put in the column for each Sensors?
2-21-2018 16:19:35 Auth.Warning 192.168.0.220 1 2018-02-21T14:19:27.540731+00:00 CENTER CEF 6076 AccountEnumerationSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|AccountEnumerationSecurityAlert|Reconnaissance using account enumeration|5|start=2018-02-21T14:19:02.6045416Z app=Kerberos shost=CLIENT1 suser=LMaldonado msg=Suspicious account enumeration activity using the Kerberos protocol, originating from CLIENT1, was observed and successfully guessed Lamon Maldonado (Software Engineer). externalId=2003 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/eb6a35da-ff7f-4ab5-a1b5-a07529a89e6d cs2Label=trigger cs2=new cs3Label=shostfqdn cs3=client1.contoso.com
Jan 10 2023 02:04 AM
Jan 10 2023 02:12 AM
Jan 10 2023 02:23 AM
Jan 10 2023 02:43 AM
Jan 10 2023 02:44 AM
Jan 10 2023 03:21 AM
Jan 10 2023 03:30 AM
Thank you@Eli Ofek ,
You mean "CENTER" in the following sample log, right?
Could you kindly let me know what does this column mean?
2-21-2018 16:19:35 Auth.Warning 192.168.0.220 1 2018-02-21T14:19:27.540731+00:00 CENTER CEF 6076 AccountEnumerationSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|AccountEnumerationSecurityAlert|Reconnaissance using account enumeration|5|start=2018-02-21T14:19:02.6045416Z app=Kerberos shost=CLIENT1 suser=LMaldonado msg=Suspicious account enumeration activity using the Kerberos protocol, originating from CLIENT1, was observed and successfully guessed Lamon Maldonado (Software Engineer). externalId=2003 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/eb6a35da-ff7f-4ab5-a1b5-a07529a89e6d cs2Label=trigger cs2=new cs3Label=shostfqdn cs3=client1.contoso.com
Jan 10 2023 03:37 AM
Jan 10 2023 03:49 AM
@Eli Ofek Than equals to Sensor Name of the Defender for Identity Sensor which I mentioned at the begging of this thread right?
Jan 10 2023 03:58 AM
Jan 18 2023 09:35 PM
Jan 30 2023 12:35 AM
@umesuisho Yes, sounds like they mean the same thing.