Up
Previous Next

Sheriff CSM™

Microsoft ATA

When you configure Microsoft Advanced Threat Analytics (ATA) to send log data to Sheriff CSM, you can use the Microsoft-ata plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
DeviceDetails
Vendor Microsoft
Device Type Threat Analytics
Connection Type Syslog
Data Source Name microsoft-ata
Data Source ID 1850

Integrating Microsoft Advanced Threat Analytics (ATA)

To configure Microsoft ATA to send Syslog messages to Sheriff CSM
  1. On the ATA Center server, click the Microsoft Advanced Threat Analytics Management icon on the desktop and log in.
  2. Select the Settings option on the toolbar and choose Configuration.

  3. Under the Configure syslog notifications section, select Syslog server and fill out the fields

    • Syslog server endpoint — enter the IP of Sheriff CSM and port 514 if you're using UDP, or 601 if you're using TCP.
    • Transport — select UDP, TCP, or TLS
    • Format — select RFC 3164

  4. Click Save.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://docs.microsoft.com/en-us/advanced-threat-analytics/setting-syslog-email-server-settings

For troubleshooting, refer to the vendor documentation:

https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs
Topic revision: r5 - 23 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.