Integrate with Syslog


The Azure ATP features explained on this page are also accessible using the new portal.

Azure ATP can notify you when it detects suspicious activities by sending security and health alerts to your Syslog server through a nominated sensor.

Once you enable Syslog notifications, you can set the following:

Field Description
sensor Select a designated sensor to be responsible for aggregating all the Syslog events and forwarding them to your SIEM server.
Service endpoint FQDN of the Syslog server and optionally change the port number (default 514)
Transport Can be UDP, TCP, or TLS (Secured Syslog)
Format This is the format that Azure ATP uses to send events to the SIEM server - either RFC 5424 or RFC 3164.
  1. Before configuring Syslog notifications, work with your SIEM admin to find out the following information:

    • FQDN or IP address of the SIEM server
    • Port on which the SIEM server is listening
    • What transport to use: UDP, TCP, or TLS (Secured Syslog)
    • Format in which to send the data RFC 3164 or 5424
  2. Open the Azure ATP portal.

  3. Click Settings.

  4. From the Notifications and Reports submenu, select Notifications.

  5. From the Syslog Service option, click Configure.

  6. Select the Sensor.

  7. Enter the Service endpoint URL.

  8. Select the Transport protocol (TCP or UDP).

  9. Select the format (RFC 3164 or RFC 5424).

  10. Select Send test Syslog message and then verify the message is received in your Syslog infrastructure solution.

  11. Click Save.

To review or modify your Syslog settings.

  1. Click Notifications, and then, under Syslog notifications click Configure and enter the following information:

    Azure ATP Syslog server settings image

  2. You can select which events to send to your Syslog server. Under Syslog notifications, specify which notifications should be sent to your Syslog server - new security alerts, updated security alerts, and new health issues.


If you plan to create automation or scripts for Azure ATP SIEM logs, we recommend using the externalId field to identify the alert type instead of using the alert name for this purpose. Alert names may occasionally be modified, while the externalId of each alert is permanent. For more information, see Azure ATP SIEM log reference.

See Also