- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to integrate and send Microsoft Advanced Threat Analytics events to Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I found a solution. Microsoft ATA can send Syslog alerts to any SIEM server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But are these logs well parsed by default by Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, they are. I have created a custom sourcetype for MS ATA so I could extract more fields, but It is well parsed since It has field : value in its logs and also have some delimiters.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I found a solution. Microsoft ATA can send Syslog alerts to any SIEM server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where you able to get this to work? I have added my syslog server into the ATA config under the syslog server setting but I am not getting any alerts. I can generate a test message and receive it in our syslog server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured Syslog Server Endpoint (server:port), Transport (UDP) and Format (RFC 5424), following the docs. Take a look at the Notifications menu and go to Syslog Notifications. Check if all options are enabled.
