mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 12:23:37 +00:00
update casing and redirects
This commit is contained in:
Joey Caparas
@ -15131,6 +15131,21 @@
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md",
|
||||
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md ",
|
||||
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp/is-ip-seen-org.md",
|
||||
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp/exposed-apis-list",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md",
|
||||
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machineaction",
|
||||
"redirect_document_id": true
|
||||
|
||||
@ -437,13 +437,13 @@
|
||||
##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
|
||||
##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
|
||||
|
||||
#### [Pull Detections to your SIEM tools]()
|
||||
##### [Learn about different ways to pull Detections](microsoft-defender-atp/configure-siem.md)
|
||||
#### [Pull detections to your SIEM tools]()
|
||||
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
|
||||
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
|
||||
##### [Configure Splunk to pull Detections](microsoft-defender-atp/configure-splunk.md)
|
||||
##### [Configure HP ArcSight to pull Detections](microsoft-defender-atp/configure-arcsight.md)
|
||||
##### [Microsoft Defender ATP Detection fields](microsoft-defender-atp/api-portal-mapping.md)
|
||||
##### [Pull Detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
|
||||
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
|
||||
##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
|
||||
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
|
||||
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
|
||||
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
|
||||
|
||||
#### [Reporting]()
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Microsoft Defender ATP Detections API fields
|
||||
title: Microsoft Defender ATP detections API fields
|
||||
description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
|
||||
keywords: Detections, Detections fields, fields, api, fields, pull Detections, rest api, request, response
|
||||
keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -15,10 +15,9 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/16/2017
|
||||
---
|
||||
|
||||
# Microsoft Defender ATP Detections API fields
|
||||
# Microsoft Defender ATP detections API fields
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -26,14 +25,14 @@ ms.date: 10/16/2017
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
|
||||
|
||||
Understand what data fields are exposed as part of the Detections API and how they map to Microsoft Defender Security Center.
|
||||
Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
|
||||
|
||||
>[!Note]
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
|
||||
>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details.
|
||||
|
||||
## Detections API fields and portal mapping
|
||||
The following table lists the available fields exposed in the Detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
|
||||
The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
|
||||
|
||||
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
|
||||
|
||||
@ -48,18 +47,18 @@ Field numbers match the numbers in the images below.
|
||||
> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
|
||||
> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
|
||||
> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
|
||||
> | 6 | FileName | fileName | Robocopy.exe | Available for Detections associated with a file or process. |
|
||||
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for Detections associated with a file or process. |
|
||||
> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based Detections. |
|
||||
> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based Detections. |
|
||||
> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for Detections associated with a file or process. |
|
||||
> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV Detections. |
|
||||
> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV Detections. |
|
||||
> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV Detections. |
|
||||
> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for Detections associated to network events. For example, 'Communication to a malicious network destination'. |
|
||||
> | 15 | Url | requestUrl | down.esales360.cn | Available for Detections associated to network events. For example, 'Communication to a malicious network destination'. |
|
||||
> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV Detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
|
||||
> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV Detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
|
||||
> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
|
||||
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
|
||||
> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
|
||||
> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
|
||||
> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
|
||||
> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV detections. |
|
||||
> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV detections. |
|
||||
> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV detections. |
|
||||
> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
|
||||
> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
|
||||
> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
|
||||
> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
|
||||
> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
|
||||
> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
|
||||
> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
|
||||
@ -69,7 +68,7 @@ Field numbers match the numbers in the images below.
|
||||
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
|
||||
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
|
||||
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
|
||||
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that Detections are retrieved. |
|
||||
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
|
||||
> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
|
||||
> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
|
||||
> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
|
||||
@ -92,7 +91,7 @@ Field numbers match the numbers in the images below.
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)
|
||||
- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
|
||||
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure HP ArcSight to pull Microsoft Defender ATP Detections
|
||||
description: Configure HP ArcSight to receive and pull Detections from Microsoft Defender Security Center
|
||||
title: Configure HP ArcSight to pull Microsoft Defender ATP detections
|
||||
description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
|
||||
keywords: configure hp arcsight, security information and events management tools, arcsight
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -15,10 +15,9 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# Configure HP ArcSight to pull Microsoft Defender ATP Detections
|
||||
# Configure HP ArcSight to pull Microsoft Defender ATP detections
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -29,14 +28,14 @@ ms.date: 12/20/2018
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
|
||||
|
||||
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP Detections.
|
||||
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
|
||||
|
||||
>[!Note]
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
|
||||
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
|
||||
|
||||
## Before you begin
|
||||
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse Detections from your Azure Active Directory (AAD) application.
|
||||
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
|
||||
|
||||
This section guides you in getting the necessary information to set and use the required configuration files correctly.
|
||||
|
||||
@ -167,7 +166,7 @@ The following steps assume that you have completed all the required steps in [Be
|
||||
|
||||
You can now run queries in the HP ArcSight console.
|
||||
|
||||
Microsoft Defender ATP Detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
|
||||
Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
|
||||
|
||||
|
||||
## Troubleshooting HP ArcSight connection
|
||||
@ -191,6 +190,6 @@ Microsoft Defender ATP Detections will appear as discrete events, with "Microsof
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)
|
||||
- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
|
||||
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Pull Detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
|
||||
description: Learn how to use REST API and configure supported security information and events management tools to receive and pull Detections.
|
||||
title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
|
||||
description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
|
||||
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -18,7 +18,7 @@ ms.topic: article
|
||||
ms.date: 10/16/2017
|
||||
---
|
||||
|
||||
# Pull Detections to your SIEM tools
|
||||
# Pull detections to your SIEM tools
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -26,13 +26,13 @@ ms.date: 10/16/2017
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
|
||||
|
||||
## Pull Detections using security information and events management (SIEM) tools
|
||||
## Pull detections using security information and events management (SIEM) tools
|
||||
|
||||
>[!Note]
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
|
||||
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
|
||||
|
||||
Microsoft Defender ATP supports (SIEM) tools to pull Detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull Detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
|
||||
Microsoft Defender ATP supports (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
|
||||
|
||||
|
||||
Microsoft Defender ATP currently supports the following SIEM tools:
|
||||
@ -44,16 +44,16 @@ To use either of these supported SIEM tools you'll need to:
|
||||
|
||||
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
|
||||
- Configure the supported SIEM tool:
|
||||
- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)
|
||||
- [Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
|
||||
- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
|
||||
|
||||
For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
|
||||
|
||||
|
||||
## Pull Microsoft Defender ATP Detections using REST API
|
||||
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull Detections using REST API.
|
||||
## Pull Microsoft Defender ATP detections using REST API
|
||||
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
|
||||
|
||||
For more information, see [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md).
|
||||
For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
|
||||
|
||||
|
||||
## In this section
|
||||
@ -61,8 +61,8 @@ For more information, see [Pull Microsoft Defender ATP Detections using REST API
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
|
||||
[Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP Detections.
|
||||
[Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP Detections.
|
||||
[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
|
||||
[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
|
||||
[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
|
||||
[Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull Detections from Microsoft Defender ATP using REST API.
|
||||
[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
|
||||
[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure Splunk to pull Microsoft Defender ATP Detections
|
||||
description: Configure Splunk to receive and pull Detections from Microsoft Defender Security Center.
|
||||
title: Configure Splunk to pull Microsoft Defender ATP detections
|
||||
description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
|
||||
keywords: configure splunk, security information and events management tools, splunk
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Configure Splunk to pull Microsoft Defender ATP Detections
|
||||
# Configure Splunk to pull Microsoft Defender ATP detections
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -28,10 +28,10 @@ ms.topic: article
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
|
||||
|
||||
You'll need to configure Splunk so that it can pull Microsoft Defender ATP Detections.
|
||||
You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
|
||||
|
||||
>[!Note]
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
|
||||
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
|
||||
|
||||
## Before you begin
|
||||
@ -125,8 +125,8 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP Detec
|
||||
|
||||
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
|
||||
|
||||
## View Detections using Splunk solution explorer
|
||||
Use the solution explorer to view Detections in Splunk.
|
||||
## View detections using Splunk solution explorer
|
||||
Use the solution explorer to view detections in Splunk.
|
||||
|
||||
1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
|
||||
|
||||
@ -150,7 +150,7 @@ Use the solution explorer to view Detections in Splunk.
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
|
||||
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
|
||||
- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Enable SIEM integration in Microsoft Defender ATP
|
||||
description: Enable SIEM integration to receive Detections in your security information and event management (SIEM) solution.
|
||||
description: Enable SIEM integration to receive detections in your security information and event management (SIEM) solution.
|
||||
keywords: enable siem connector, siem, connector, security information and events
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Enable SIEM integration in Microsoft Defender ATP
|
||||
@ -26,10 +25,10 @@ ms.date: 12/10/2018
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Enable security information and event management (SIEM) integration so you can pull Detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the Detections REST API.
|
||||
Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
|
||||
|
||||
>[!Note]
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
|
||||
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
|
||||
|
||||
## Prerequisites
|
||||
@ -59,7 +58,7 @@ Enable security information and event management (SIEM) integration so you can p
|
||||
> - WDATP-connector.jsonparser.properties
|
||||
> - WDATP-connector.properties <br>
|
||||
|
||||
If you want to connect directly to the Detections REST API through programmatic access, choose **Generic API**.
|
||||
If you want to connect directly to the detections REST API through programmatic access, choose **Generic API**.
|
||||
|
||||
4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
|
||||
|
||||
@ -68,14 +67,14 @@ Enable security information and event management (SIEM) integration so you can p
|
||||
> [!NOTE]
|
||||
> You'll need to generate a new Refresh token every 90 days.
|
||||
|
||||
You can now proceed with configuring your SIEM solution or connecting to the Detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive Detections from Microsoft Defender Security Center.
|
||||
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
|
||||
|
||||
## Integrate Microsoft Defender ATP with IBM QRadar
|
||||
You can configure IBM QRadar to collect Detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
|
||||
You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
|
||||
|
||||
## Related topics
|
||||
- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)
|
||||
- [Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
|
||||
- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
|
||||
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
|
||||
- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
|
||||
|
||||
@ -52,7 +52,6 @@ An important aspect of machine management is the ability to analyze the environm
|
||||
Topic | Description
|
||||
:---|:---
|
||||
Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts.
|
||||
Supported Microsoft Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
|
||||
Managed security service provider | Get a quick overview on managed security service provider support.
|
||||
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Pull Microsoft Defender ATP Detections using REST API
|
||||
description: Pull Detections from Microsoft Defender ATP REST API.
|
||||
keywords: Detections, pull Detections, rest api, request, response
|
||||
title: Pull Microsoft Defender ATP detections using REST API
|
||||
description: Pull detections from Microsoft Defender ATP REST API.
|
||||
keywords: detections, pull detections, rest api, request, response
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Pull Microsoft Defender ATP Detections using SIEM REST API
|
||||
# Pull Microsoft Defender ATP detections using SIEM REST API
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
@ -27,10 +27,10 @@ ms.topic: article
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
|
||||
|
||||
>[!Note]
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
|
||||
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
|
||||
|
||||
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull Detections from the API.
|
||||
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
|
||||
|
||||
In general, the OAuth 2.0 protocol supports four types of flows:
|
||||
- Authorization grant flow
|
||||
@ -40,19 +40,19 @@ In general, the OAuth 2.0 protocol supports four types of flows:
|
||||
|
||||
For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
|
||||
|
||||
Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull Detections, with Azure Active Directory (AAD) as the authorization server.
|
||||
Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
|
||||
|
||||
The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
|
||||
|
||||
The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
|
||||
|
||||
Use the following method in the Microsoft Defender ATP API to pull Detections in JSON format.
|
||||
Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.
|
||||
|
||||
>[!NOTE]
|
||||
>Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
|
||||
|
||||
## Before you begin
|
||||
- Before calling the Microsoft Defender ATP endpoint to pull Detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
|
||||
- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
|
||||
|
||||
- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
|
||||
- Application ID (unique to your application)
|
||||
@ -63,7 +63,7 @@ Use the following method in the Microsoft Defender ATP API to pull Detections in
|
||||
## Get an access token
|
||||
Before creating calls to the endpoint, you'll need to get an access token.
|
||||
|
||||
You'll use the access token to access the protected resource, which are Detections in Microsoft Defender ATP.
|
||||
You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP.
|
||||
|
||||
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
|
||||
|
||||
@ -109,23 +109,23 @@ Use optional query parameters to specify and control the amount of data returned
|
||||
|
||||
Name | Value| Description
|
||||
:---|:---|:---
|
||||
DateTime?sinceTimeUtc | string | Defines the lower time bound Detections are retrieved from, based on field: <br> `LastProcessedTimeUtc` <br> The time range will be: from sinceTimeUtc time to current time. <br><br> **NOTE**: When not specified, all Detections generated in the last two hours are retrieved.
|
||||
DateTime?untilTimeUtc | string | Defines the upper time bound Detections are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
|
||||
string ago | string | Pulls Detections in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull Detections received in the last 10 minutes.
|
||||
int?limit | int | Defines the number of Detections to be retrieved. Most recent Detections will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all Detections available in the time range will be retrieved.
|
||||
machinegroups | String | Specifies machine groups to pull Detections from. <br><br> **NOTE**: When not specified, Detections from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
|
||||
DateTime?sinceTimeUtc | string | Defines the lower time bound detections are retrieved from, based on field: <br> `LastProcessedTimeUtc` <br> The time range will be: from sinceTimeUtc time to current time. <br><br> **NOTE**: When not specified, all detections generated in the last two hours are retrieved.
|
||||
DateTime?untilTimeUtc | string | Defines the upper time bound detections are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
|
||||
string ago | string | Pulls detections in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull detections received in the last 10 minutes.
|
||||
int?limit | int | Defines the number of detections to be retrieved. Most recent detections will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all detections available in the time range will be retrieved.
|
||||
machinegroups | String | Specifies machine groups to pull detections from. <br><br> **NOTE**: When not specified, detections from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
|
||||
DeviceCreatedMachineTags | string | Single machine tag from the registry.
|
||||
CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center.
|
||||
|
||||
### Request example
|
||||
The following example demonstrates how to retrieve all the Detections in your organization.
|
||||
The following example demonstrates how to retrieve all the detections in your organization.
|
||||
|
||||
```syntax
|
||||
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
|
||||
Authorization: Bearer <your access token>
|
||||
```
|
||||
|
||||
The following example demonstrates a request to get the last 20 Detections since 2016-09-12 00:00:00.
|
||||
The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.
|
||||
|
||||
```syntax
|
||||
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
|
||||
@ -182,14 +182,14 @@ AuthenticationContext context = new AuthenticationContext(string.Format("https:/
|
||||
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
|
||||
AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);
|
||||
```
|
||||
### Use token to connect to the Detections endpoint
|
||||
### Use token to connect to the detections endpoint
|
||||
|
||||
```
|
||||
HttpClient httpClient = new HttpClient();
|
||||
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
|
||||
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
|
||||
string detectionsJson = response.Content.ReadAsStringAsync().Result;
|
||||
Console.WriteLine("Got Detections list: {0}", detectionsJson);
|
||||
Console.WriteLine("Got detections list: {0}", detectionsJson);
|
||||
|
||||
```
|
||||
|
||||
@ -207,7 +207,7 @@ HTTP error code | Description
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
|
||||
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
|
||||
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
|
||||
|
||||
@ -25,7 +25,7 @@ ms.topic: troubleshooting
|
||||
|
||||
|
||||
|
||||
You might need to troubleshoot issues while pulling Detections in your SIEM tools.
|
||||
You might need to troubleshoot issues while pulling detections in your SIEM tools.
|
||||
|
||||
This page provides detailed steps to troubleshoot issues you might encounter.
|
||||
|
||||
@ -80,7 +80,7 @@ If you encounter an error when trying to enable the SIEM connector application,
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)
|
||||
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
|
||||
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
|
||||
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
|
||||
- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md)
|
||||
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
|
||||
|
||||
Reference in New Issue
Block a user