Integrate with Syslog
The Azure ATP features explained on this page are also accessible using the new portal.
Azure ATP can notify you when it detects suspicious activities and issue security alerts and health alerts by sending the notifications to your Syslog server. Alerts are sent from the Azure ATP sensor that detected the activity directly to the Syslog server.
Once you enable Syslog notifications, you can set the following:
|sensor||Select a designated sensor to be responsible for aggregating all the Syslog events and forwarding them to your SIEM server.|
|Service endpoint||FQDN of the Syslog server and optionally change the port number (default 514)|
|Transport||Can be UDP, TCP, or TLS (Secured Syslog)|
|Format||This is the format that Azure ATP uses to send events to the SIEM server - either RFC 5424 or RFC 3164.|
Before configuring Syslog notifications, work with your SIEM admin to find out the following information:
FQDN or IP address of the SIEM server
Port on which the SIEM server is listening
What transport to use: UDP, TCP, or TLS (Secured Syslog)
Format in which to send the data RFC 3164 or 5424
Open the Azure ATP portal.
From the Notifications and Reports sub menu, select Notifications.
From the Syslog Service option, click Configure.
Select the Sensor.
Enter the Service endpoint URL.
Select the Transport protocol (TCP or UDP).
Select the format (RFC 3164 or RFC 5424).
Select Send text Syslog message and then verify the message is received in your Syslog infrastructure solution.
To review or modify your Syslog settings.
Click Notifications, and then, under Syslog notifications click Configure and enter the following information:
You can select which events to send to your Syslog server. Under Syslog notifications, specify which notifications should be sent to your Syslog server - new security alerts, updated security alerts, and new health issues.
If you plan to create automation or scripts for Azure ATP SIEM logs, we recommend using the externalId field to identify the alert type instead of using the alert name for this purpose. Alert names may occasionally be modified, while the externalId of each alert is permanent. For more information, see Azure ATP SIEM log reference.