cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Do Microsoft Defender for Identity SIEM logs conform to CEF format?

alexturkin
Copper Contributor

‎Sep 02 2021 02:12 AM - edited ‎Sep 02 2021 02:55 AM

‎Sep 02 2021 02:12 AM - edited ‎Sep 02 2021 02:55 AM

Do Microsoft Defender for Identity SIEM logs conform to CEF format?

Microsoft Defender for Identity SIEM log reference page says "Alerts and events are in the CEF format."

 

CEF spec Version 25 (I used one from that page: https://community.microfocus.com/cyberres/productdocs/w/connector-documentation/38809/arcsight-commo...) states that "The CEF:Version portion of the message is a mandatory header."

 

Examples for Microsoft Defender for Identity SIEM logs, however, seems to diverge from that.

 

For instance, example for "Account enumeration reconnaissance":

02-21-2018 16:19:35 Auth.Warning 192.168.0.220 1 2018-02-21T14:19:27.540731+00:00 CENTER CEF 6076 AccountEnumerationSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|AccountEnumerationSecurityAlert|Reconnaissance using account enumeration|5|start=2018-02-21T14:19:02.6045416Z app=Kerberos shost=CLIENT1 suser=LMaldonado msg=Suspicious account enumeration activity using the Kerberos protocol, originating from CLIENT1, was observed and successfully guessed Lamon Maldonado (Software Engineer). externalId=2003 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/eb6a35da-ff7f-4ab5-a1b5-a07529a89e6d cs2Label=trigger cs2=new


As can be seen above, (ignoring syslog header and "") CEF message starts with "0|Microsoft|" where 0 is presumably Version, but "CEF:" part is omitted.

 

The question is:  do Microsoft Defender for Identity SIEM logs actually conform to CEF format?

 

Also, I've found that examples on the other page - ATA SIEM log reference - contain "CEF:0" part.

 

Thank you!

1,798 Views
0 Likes
3 Replies
Reply
3 Replies
Eli Ofek

‎Sep 02 2021 02:55 AM

‎Sep 02 2021 02:55 AM

Re: Do Microsoft Defender for Identity SIEM logs conform to CEF format?

In the syslog configuration, select RFC3164 to get the header in the requested format.
MDI sends that data in RFC 3164 or RFC5424 (default) , and the payload itself inside it is in CEF format.

If you select RFC 3164 it will look like this:

05-13-2019 16:55:11 Auth.Warning 192.168.0.77 May 13 13:55:00 TESTMACHINE CEF:0|Microsoft|Azure ATP|2.78.0.0|AccountEnumerationSecurityAlert|Account enumeration reconnaissance|5|start=2019-05-13T13:51:55.6029975Z app=Ntlm shost=CLIENT2 msg=An actor on CLIENT2 performed suspicious account enumeration exposing Eugene Jenkins (Software Engineer). externalId=2003 cs1Label=url cs1=https://sample.atp.azure.com/securityAlert/9d7ce723-0698-443e-b3a2-4cb985029660 cs2Label=trigger cs2=new

0 Likes
Reply
alexturkin

‎Sep 02 2021 03:23 AM - edited ‎Sep 02 2021 03:25 AM

‎Sep 02 2021 03:23 AM - edited ‎Sep 02 2021 03:25 AM

Re: Do Microsoft Defender for Identity SIEM logs conform to CEF format?

Thank you for the reply!

So it seems to me that when MDI logs are sent in RFC3164, it conforms to CEF, while when MDI logs are sent in RFC5424, it does not (because "CEF:" part is omitted). Is that correct?

At the same time, it looks like https://docs.microsoft.com/en-us/advanced-threat-analytics/cef-format-sa has examples that are in RFC5424, while "CEF:" part of the header is present, so it conforms to CEF format.

0 Likes
Reply
best response confirmed by Ricky Simpson (Microsoft)
Eli Ofek

‎Sep 02 2021 03:41 PM

‎Sep 02 2021 03:41 PM

Solution

Re: Do Microsoft Defender for Identity SIEM logs conform to CEF format?

Effectively, yes, if you want to use a "pure" CEF format, then RFC3164 will work better for you.
It's main disadvantage is that it does not support Unicode, only ASCII.
And yes, the technical writes of ATA used the RFC3164 for samples there (or a mix), but I advise not to rely on ATA docs for MDI reference, as things often work differently between the two and it might be confusing.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Ricky Simpson (Microsoft)
Eli Ofek

‎Sep 02 2021 03:41 PM

‎Sep 02 2021 03:41 PM

Solution

Re: Do Microsoft Defender for Identity SIEM logs conform to CEF format?

Effectively, yes, if you want to use a "pure" CEF format, then RFC3164 will work better for you.
It's main disadvantage is that it does not support Unicode, only ASCII.
And yes, the technical writes of ATA used the RFC3164 for samples there (or a mix), but I advise not to rely on ATA docs for MDI reference, as things often work differently between the two and it might be confusing.

View solution in original post

1 Like
Reply