SOLVED

SIEM integration missing from Azure ATP portal?

%3CLINGO-SUB%20id%3D%22lingo-sub-1052339%22%20slang%3D%22en-US%22%3ESIEM%20integration%20missing%20from%20Azure%20ATP%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1052339%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20team!%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3ECould%20anyone%20help%20me%20with%20why%20I%20cannot%20find%20the%20SIEM%20integration%20under%20Data%20Sources%26nbsp%3Bfrom%20the%20Azure%20ATP%20Configuration%26nbsp%3Bportal%3F%20Although%20this%20is%20fully%20documented%20(%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-event-collection%23configuring-the-azure-atp-sensor-to-listen-for-siem-events%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-event-collection%23configuring-the-azure-atp-sensor-to-listen-for-siem-events%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-event-collection%23configuring-the-azure-atp-sensor-to-listen-for-siem-events%3C%2FA%3E)%20I%20cannot%20find%20it%20in%20the%20Azure%20ATP%20Configuration%20portal.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3EThank%20you%2C%3C%2FDIV%3E%0A%3CDIV%3EGeorge%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1052395%22%20slang%3D%22en-US%22%3ERe%3A%20SIEM%20integration%20missing%20from%20Azure%20ATP%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1052395%22%20slang%3D%22en-US%22%3EDocs%20is%20not%20properly%20updated%2C%20pending%20a%20fix.%3CBR%20%2F%3EStandalone%20sensors%20are%20now%20listening%20to%20SIEM%20events%20by%20default.%20No%20need%20to%20configure%20them.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1057405%22%20slang%3D%22en-US%22%3ERe%3A%20SIEM%20integration%20missing%20from%20Azure%20ATP%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1057405%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20a%20lot%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3Bfor%20your%20response.%20However%2C%20I%20am%20not%20using%20the%20Standalone%20Sensor%20but%20the%20Azure%20ATP%20Sensor%20directly%20installed%20on%20every%20DC.%20Does%20the%20same%20applies%20there%3F%20Thank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1057416%22%20slang%3D%22en-US%22%3ERe%3A%20SIEM%20integration%20missing%20from%20Azure%20ATP%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1057416%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210335%22%20target%3D%22_blank%22%3E%40George%20Smyrlis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIntegrated%20sensors%20cannot%20listen%20to%20SIEM%20(syslog)%20traffic%20any%20more.%3C%2FP%3E%0A%3CP%3EThey%20actually%20don't%20need%20too...%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThey%20are%20installed%20on%20the%20DC%20itself%2C%20thus%20can%20get%20all%20the%20info%20they%20need%20locally.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello team! 

 
Could anyone help me with why I cannot find the SIEM integration under Data Sources from the Azure ATP Configuration portal? Although this is fully documented (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-event-collection#configu...) I cannot find it in the Azure ATP Configuration portal.
 
Thank you,
George
3 Replies
Docs is not properly updated, pending a fix.
Standalone sensors are now listening to SIEM events by default. No need to configure them.

Thank you a lot @Eli Ofek for your response. However, I am not using the Standalone Sensor but the Azure ATP Sensor directly installed on every DC. Does the same applies there? Thank you

best response confirmed by George Smyrlis (Microsoft)
Solution

@George Smyrlis 

Integrated sensors cannot listen to SIEM (syslog) traffic any more.

They actually don't need too... 

They are installed on the DC itself, thus can get all the info they need locally.