https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453788#M78591 <P>I have configured Syslog Server Endpoint (server:port), Transport (UDP) and Format (RFC 5424), following the docs. Take a look at the Notifications menu and go to Syslog Notifications. Check if all options are enabled.</P> Thu, 09 May 2019 00:12:06 GMT alonsocaio 2019-05-09T00:12:06Z https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453783#M78586 <P>Is there any way to integrate and send Microsoft Advanced Threat Analytics events to Splunk? </P> Thu, 21 Mar 2019 11:35:56 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453783#M78586 alonsocaio 2019-03-21T11:35:56Z https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453784#M78587 <P>Actually I found a solution. Microsoft ATA can send Syslog alerts to any SIEM server.</P> Thu, 21 Mar 2019 12:01:17 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453784#M78587 alonsocaio 2019-03-21T12:01:17Z https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453785#M78588 <P>But are these logs well parsed by default by Splunk?</P> Mon, 29 Apr 2019 12:13:06 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453785#M78588 25D55AD2 2019-04-29T12:13:06Z https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453786#M78589 <P>Where you able to get this to work? I have added my syslog server into the ATA config under the syslog server setting but I am not getting any alerts. I can generate a test message and receive it in our syslog server.</P> Wed, 08 May 2019 21:47:39 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453786#M78589 edhealea 2019-05-08T21:47:39Z https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453787#M78590 <P>Yes, they are. I have created a custom sourcetype for MS ATA so I could extract more fields, but It is well parsed since It has field : value in its logs and also have some delimiters.</P> Wed, 08 May 2019 23:52:54 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453787#M78590 alonsocaio 2019-05-08T23:52:54Z https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453788#M78591 <P>I have configured Syslog Server Endpoint (server:port), Transport (UDP) and Format (RFC 5424), following the docs. Take a look at the Notifications menu and go to Syslog Notifications. Check if all options are enabled.</P> Thu, 09 May 2019 00:12:06 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-and-Microsoft-Advanced-Threat-Analytics/m-p/453788#M78591 alonsocaio 2019-05-09T00:12:06Z