Microsoft Defender Identity¶
About¶
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Product Details¶
Vendor URL: Microsoft Defender Identity
Product Type: Identity
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Configure Windows Event collection
Log Guide: Siem log refernce
Parser Details¶
Log Format: CEF
Expected Normalization Rate: near 100%
Data Label: MICROSOFT_DEFENDER_IDENTITY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| App | principal.application |
| CEF description | metadata.description |
| CEF version | metadata.product_version |
| cs1 | security_result.url_back_to_product |
| cs3 | metadata.url_back_to_product |
| Event Type | metadata.product_event_type |
| externalId | metadata.product_log_id |
| msg | security_result.description |
| Observer | Observer.hostname |
| Product | metadata.product_name |
| Severity | security_result.severity |
| shost | principal.hostname |
| shostfqdn | principal.asset.hostname |
| suser | principal.user.userid |
| Vendor | metadata.vendor_name |
Log Sample¶
{<36>1 2022-11-22T22:08:22.221058+00:00 Hostname1 CEF 10912 RemoteExecutionSecurityAlert 0|Microsoft|Azure ATP|2.194.15869.60621|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2022-11-22T22:05:10.8398810Z app=Wmi shost=Hostname2 shostfqdn=Hostname2.example.com msg=User1 made an attempt to run commands remotely on Hostname2 from Hostname3, using 1 WMI method. externalId=2019 cs1Label=url cs1=https:security.example.com cs2Label=trigger cs2=new cs3Label=mSecUrl cs3=https://alerts.example.com }
Sample Parsing¶
metadata.event_timestamp = "2022-11-22T22:08:22"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Azure ATP"
metadata.product_event_type = "application_request"
metadata.product_version = "2.194.15869.60621"
metadata.product_event_type = "RemoteExecutionSecurityAlert"
metadata.description = "Remote code execution attempt"
metadata.url_back_to_product = "https://alerts.example.com"
principal.hostname = "Hostname2"
principal.application = "Wmi"
observer.hostname = "Hostname1"
security_result.description = "User1 made an attempt to run commands remotely on Hostname2 from Hostname3, using 1 WMI method."
security_result.url_back_to_product = "https:security.example.com"
security_result.severity = MEDIUM
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon