Documentation Center
AlienVault® USM Anywhere™

Microsoft Advanced Threat Analytics

When you configure Microsoft Advanced Threat Analytics (ATA) to send log data to USM Anywhere, you can use the Microsoft Advanced Threat Analytics plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Microsoft
Device Type Threat Analytics
Connection Type Syslog

Integrating Microsoft Advanced Threat Analytics (ATA)

To configure Microsoft ATA to send Syslog messages to USM Anywhere

  1. On the ATA Center server, click the Microsoft Advanced Threat Analytics Management icon on the desktop and log in.
  2. Select the Settings option on the toolbar and choose Configuration.
  3. Under the Configure syslog notifications section, select Syslog server and fill out the fields

    • Syslog server endpoint — enter the IP of USM Anywhere and port 514 if you're using UDP, or 601 if you're using TCP.
    • Transport — select UDP, TCP, or TLS
    • Format — select RFC 3164

  4. Click Save.

Plugin Enablement

This plugin is automatically enabled.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol
  • event_description
  • event_description_url
  • event_name
  • event_severity
  • plugin_device
  • plugin_device_type
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_hostname
  • source_username
  • time_start

Additional Resources and Troubleshooting

https://docs.microsoft.com/en-us/advanced-threat-analytics/setting-syslog-email-server-settings

For troubleshooting, refer to the vendor documentation:

https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs