Skip to content

Microsoft Defender Identity

Microsoft Defender Identity

About

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Product Details

Vendor URL: Microsoft Defender Identity

Product Type: Identity

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Configure Windows Event collection

Log Guide: Siem log refernce

Parser Details

Log Format: CEF

Expected Normalization Rate: near 100%

Data Label: MICROSOFT_DEFENDER_IDENTITY

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
App principal.application
CEF description metadata.description
CEF version metadata.product_version
cs1 security_result.url_back_to_product
cs3 metadata.url_back_to_product
Event Type metadata.product_event_type
externalId metadata.product_log_id
msg security_result.description
Observer Observer.hostname
Product metadata.product_name
Severity security_result.severity
shost principal.hostname
shostfqdn principal.asset.hostname
suser principal.user.userid
Vendor metadata.vendor_name

Log Sample

{<36>1 2022-11-22T22:08:22.221058+00:00 Hostname1 CEF 10912 RemoteExecutionSecurityAlert 0|Microsoft|Azure ATP|2.194.15869.60621|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2022-11-22T22:05:10.8398810Z app=Wmi shost=Hostname2 shostfqdn=Hostname2.example.com msg=User1 made an attempt to run commands remotely on Hostname2 from Hostname3, using 1 WMI method.  externalId=2019 cs1Label=url cs1=https:security.example.com cs2Label=trigger cs2=new cs3Label=mSecUrl cs3=https://alerts.example.com }

Sample Parsing

metadata.event_timestamp = "2022-11-22T22:08:22"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Azure ATP"
metadata.product_event_type = "application_request"
metadata.product_version = "2.194.15869.60621"
metadata.product_event_type = "RemoteExecutionSecurityAlert"
metadata.description = "Remote code execution attempt"
metadata.url_back_to_product = "https://alerts.example.com"
principal.hostname = "Hostname2"
principal.application = "Wmi"
observer.hostname = "Hostname1"
security_result.description = "User1 made an attempt to run commands remotely on Hostname2 from Hostname3, using 1 WMI method."
security_result.url_back_to_product = "https:security.example.com"
security_result.severity = MEDIUM

Parser Alerting

This product currently does not have any Parser-based Alerting