Solved: Splunk and Microsoft Advanced Threat Analytics

alonsocaio · ‎03-21-2019

Is there any way to integrate and send Microsoft Advanced Threat Analytics events to Splunk?

alonsocaio · ‎03-21-2019

Actually I found a solution. Microsoft ATA can send Syslog alerts to any SIEM server.

25D55AD2 · ‎04-29-2019

But are these logs well parsed by default by Splunk?

alonsocaio · ‎05-08-2019

Yes, they are. I have created a custom sourcetype for MS ATA so I could extract more fields, but It is well parsed since It has field : value in its logs and also have some delimiters.

alonsocaio · ‎03-21-2019

Actually I found a solution. Microsoft ATA can send Syslog alerts to any SIEM server.

edhealea · ‎05-08-2019

Where you able to get this to work? I have added my syslog server into the ATA config under the syslog server setting but I am not getting any alerts. I can generate a test message and receive it in our syslog server.

alonsocaio · ‎05-08-2019

I have configured Syslog Server Endpoint (server:port), Transport (UDP) and Format (RFC 5424), following the docs. Take a look at the Notifications menu and go to Syslog Notifications. Check if all options are enabled.

Splunk and Microsoft Advanced Threat Analytics

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?