Overview
Blumira integrates with Defender for Identity (formerly Azure ATP) to receive alert notifications. Follow the instructions below to get your Defender for Identity logs forwarded to Blumira.
The Defender for Identity integration relies on the Blumira Logger Module, so you do not need to add a new module to your sensor configuration for this integration.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Procedure
To forward logs from Defender for Identity use the following steps:
- Log in to https://portal.atp.azure.com/.
- Click the gear icon.
- Click Settings.
- From the Notifications and Reports submenu, select Notifications.
- From the Syslog Service option, click Configure.
- Select the Sensor from the dropdown.
- Enter the Blumira Sensor IP address.
- Select the Transport protocol (TCP or UDP).
- Select the format of RFC 5424.
- Select Send test Syslog message and then verify the message is received in your Syslog infrastructure solution.
- Click Save.
Note: Within 20 minutes you will see the new data source ‘Azure ATP’ show up in the report builder when the test message is processed. Use this data source to query your Defender for Identity logs.
Additional Reference
- See Defender for Identity Syslog notifications for Syslog configuration information.
- See Microsoft Defender for Identity SIEM log reference for details regarding log format and alert examples.