AlienVault® USM Anywhere™

Microsoft Azure ATP

When you configure Microsoft Azure Advanced Threat Protection (ATP) to send log data to USM Anywhere, you can use the Microsoft Advanced Threat Protection CEF plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Microsoft
Device Type Unified Threat Management
Connection Type Syslog

Integrating Azure ATP

In Azure ATP, you must enable syslog notifications and send alerts to USM Anywhere. This is the information you need for the configuration:

  • Service endpoint: IP address of the USM Anywhere Sensor
  • Transport: UDP (514), TCP (601), or TLS (6514)
  • Format: RFC 3164

See Azure ATP How-to guides: Integrate with Syslog for detailed instructions from the vendor.

Plugin Enablement

The Microsoft Advanced Threat Protection CEF plugin automatically processes all messages when the syslog tags contain |Microsoft|Azure ATP|.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol
  • event_description
  • event_description_url
  • event_name
  • event_severity
  • plugin_device
  • plugin_device_type
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_hostname
  • source_username
  • time_start

Raw Log Sample

Dec 23 00:41:05 STCDC03 CEF:0|Microsoft|Azure ATP|2.103.7472.27717|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2019-12-23T00:35:42.0445081Z app=WinRm shost=XXXXXX msg=svc-bitsnow made 7 attempts to run commands remotely on STCDC01 from STCDC03 using 7 PowerShell commands. externalId=2019 cs1Label=url cs1= cs2Label=trigger cs2=update