externalId=2003 cs1Label=url cs1= cs2Label=trigger cs2=new cs3Label=shostfqdn cs3= Data exfiltration over SMBġ2-19-2018 14:17:46 Auth.Error 127.0.0.1 1 T12:17:34.645993+00:00 DC SmbDataExfiltrationSecurityAlert ï»❰|Microsoft|Azure ATP|2.60.0.0|SmbDataExfiltrationSecurityAlert| Data exfiltration over SMB|10|start=T12:14:12.4932821Z app=Smb shost=CLIENT1 msg=Eugene Jenkins (Software Engineer) on DC2 copied suspicious files to CLIENT1. For a full list of alert details, see Security alert name mapping and unique external IDs.Ġ2-21-2018 16:19:35 Auth.Warning 192.168.0.220 1 T14:19:27.540731+00:00 CENTER CEF 6076 AccountEnumerationSecurityAlert ï»❰|Microsoft|Azure ATP|.22540|AccountEnumerationSecurityAlert|Reconnaissance using account enumeration|5|start=T14:19:02.6045416Z app=Kerberos shost=CLIENT1 suser=LMaldonado msg=Suspicious account enumeration activity using the Kerberos protocol, originating from CLIENT1, was observed and successfully guessed Lamon Maldonado (Software Engineer).
The list below is a sample of logs sent to a SIEM. The cs3 field identifies the fully qualified domain name of the source computer name.
The cs2 field identifies if the alert is new or updated.įor example: cs3Label=shostfqdn cs3=
When forwarding alerts to Microsoft Defender for Cloud Apps, this field is populated with the corresponding Defender for Cloud Apps alert ID.Ĭustomer strings allowed by CEF, where cs#label is the name of the new fieldĬustomer strings allowed by CEF, where cs# is the value.įor example: cs1Label=url cs1=https\://192.168.0.220/suspiciousActivity/5909ae198ca1ec04d05e65fa When relevant, success or failure of the suspicious activity in the alertįor alerts that have a count of the number of times the activity happened (for example, brute force has an amount of guessed passwords)Įvent ID Defender for Identity writes to the event log that corresponds to each type of alert. The following fields and their values are forwarded to your SIEM: DetailĪccount (usually the user account) involved in the alertĪccount (usually the machine account) involved in the alert Sample Defender for Identity security alerts in CEF format This reference article provides samples of the logs sent to your SIEM. Defender for Identity can forward security alert and health alert events to your SIEM.
0 kommentar(er)
