locked
SIEM (HP Archsight) integration with ATA RRS feed

  • Question

  • Hello Team,

    Please I need a documentation guide on how to integrate SIEM (HP Archsight) with ATA in both scenarios as shown on Technet in below screenshot:

     


    BR, David Sunday

    Tuesday, May 9, 2017 8:34 AM

Answers

  • Hello David,

    Sure, ATA Gateway can collect event logs from WEF and SIEM/Syslog simultaneously. 

    You can turn on the two options from the ATA Console. Please see the following screenshot.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by David Sunday Wednesday, May 17, 2017 12:37 PM
    Wednesday, May 17, 2017 7:30 AM

All replies

  • Hello David,

    1. You just need to configure the IP address and port for syslog server, transport protocol and format on ATA. More details for configuration, please see the following documentation.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/setting-syslog-email-server-settings

    2. You need to enable the option for receiving events on ATA first, then you need to configure SIEM to forward Windows Event ID 4776 to the IP address of one of the ATA Gateways. For additional information on configuring your SIEM, refer to your SIEM online help. 

    In addition, you can refer to the following article for specific formatting requirements for each SIEM server.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/configure-event-collection


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, May 10, 2017 9:00 AM
  • Thanks Andy,

    Does ATA support installation on server 2016 OS?

    Can the ATA license be reuse on another ATA center in case of server crash or disaster?

    I saw below in the link you sent, what events in the last row does ATA sends to SIEM? 

    Under Notifications section, Select Syslog server and enter the following information:

    Field Description
    Syslog server endpoint FQDN of the Syslog server and optionally change the port number (default 514)
    Transport Can be UDP, TCP or TLS (Secured Syslog)
    Format This is the format that ATA uses to send events to the SIEM server - either RFC 5424 or RFC 3164.


    BR, David Sunday


    Wednesday, May 10, 2017 10:09 AM
  • Hello David,

    >>> Does ATA support installation on server 2016 OS?

    The ATA Center supports installation on a server running Windows Server 2012 R2 or Windows Server 2016. 
    The ATA Gateway supports installation on a server running Windows Server 2012 R2 or Windows Server 2016 (Include server core). 

    >>> Can the ATA license be reuse on another ATA center in case of server crash or disaster?

    Questions about ATA license, you'd better see the ATA licensing datasheet.

    Also, you can contact Microsoft representative or Partner.

    http://download.microsoft.com/download/4/F/3/4F3C822E-E0AC-4C5F-8E68-1D789E833885/Microsoft_Advanced_Threat_Analytics_Licensing_Datasheet.pdf

    >>> what events in the last row does ATA sends to SIEM? 

    ATA will send a syslog alert in the event of a suspicious activitity to SIEM. You can see what ATA detects from the following article.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-explore/ata-threats

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 12, 2017 2:45 AM
  • Can ATA Gateway be configure to receive and process WEF and Syslog events simultaneously or it has be one at a time?  

    I mean can I configure WEF and at the same time integrate ATA with SIEM for event collection?


    BR, David Sunday

    Tuesday, May 16, 2017 10:23 AM
  • Hello David,

    Sure, ATA Gateway can collect event logs from WEF and SIEM/Syslog simultaneously. 

    You can turn on the two options from the ATA Console. Please see the following screenshot.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by David Sunday Wednesday, May 17, 2017 12:37 PM
    Wednesday, May 17, 2017 7:30 AM