Skip to main content

Microsoft Defender for Identity

A cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender for Identity

This pack includes Cortex XSIAM content.

Configuration on Server Side

You need to configure Microsoft for Identity to forward Syslog messages in CEF format.

To configure, follow these instructions:

  1. In Microsoft 365 Defender, go to Settings > Identities.
  2. Click Syslog notifications.
  3. To enable syslog notification, set the Syslog service toggle to the on position.
  4. Click Configure service. A pane will open where you can enter the details for the syslog service.
  5. Enter the following details:
    • Sensor - From the drop-down list, choose the sensor that will send the alerts.
    • Service endpoint and Port - Enter the IP address or fully qualified domain name (FQDN) for the syslog server and specify the port number. You can configure only one Syslog endpoint.
    • Transport - Select the Transport protocol (TCP or UDP).
    • Format - Select the format (RFC 3164).
  6. Click Send test SIEM notification and then verify the message is received in your Syslog infrastructure solution.
  7. Click Save.
  8. Once you've configured the Syslog service, you can choose which types of notifications (alerts or health issues) to send to your Syslog server.
  • Additional documentation for syslog notifications is available here.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Right-click, and select Syslog Collector > Configure.
  3. When configuring the Syslog Collector, set the following values:
    • vendor as vendor - microsoft
    • product as product - azure_atp

PUBLISHER

Cortex

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedMarch 9, 2023
Last ReleaseMarch 9, 2023
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.