deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-30 22:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update fetch-alerts-mssp.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-11-06 12:30:29 -08:00
parent dc0a984208
commit 31e27dd219
1 changed files with 6 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
View File

@ -26,7 +26,7 @@ ms.topic: article
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!NOTE] >[!NOTE]
@ -39,7 +39,7 @@ There are two ways you can fetch alerts:
## Fetch alerts into your SIEM ## Fetch alerts into your SIEM
To fetch alerts into your SIEM system you'll need to take the following steps: To fetch alerts into your SIEM system, you'll need to take the following steps:
Step 1: Create a third-party application Step 1: Create a third-party application
@ -47,21 +47,15 @@ Step 2: Get access and refresh tokens from your customer's tenant
Step 3: allow your application on Microsoft Defender Security Center Step 3: allow your application on Microsoft Defender Security Center
### Step 1: Create an application in Azure Active Directory (Azure AD) ### Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Defender for Endpoint tenant. You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender for Endpoint tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). 1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**. 2. Select **Azure Active Directory** > **App registrations**.
3. Click **New registration**. 3. Click **New registration**.
4. Specify the following values: 4. Specify the following values:
@ -80,7 +74,6 @@ You'll need to create an application and grant it permissions to fetch alerts fr
9. Click **New client secret**. 9. Click **New client secret**.
- Description: Enter a description for the key. - Description: Enter a description for the key.
- Expires: Select **In 1 year** - Expires: Select **In 1 year**
@ -163,12 +156,10 @@ After providing your credentials, you'll need to grant consent to the applicatio
7. You'll be asked to provide your credentials and consent. Ignore the page redirect. 7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
### Step 3: Allow your application on Microsoft Defender Security Center ### Step 3: Allow your application on Microsoft Defender Security Center
You'll need to allow the application you created in Microsoft Defender Security Center. You'll need to allow the application you created in Microsoft Defender Security Center.
You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you. You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID. 1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
@ -182,10 +173,10 @@ You'll need to have **Manage portal system settings** permission to allow the ap
5. Click **Authorize application**. 5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Defender for Endpoint API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). You can now download the relevant configuration file for your SIEM and connect to the Defender for Endpoint API. For more information, see, [Pull alerts to your SIEM tools](configure-siem.md).
- In the ArcSight configuration file / Splunk Authentication Properties file ? you will have to write your application key manually by settings the secret value. - In the ArcSight configuration file / Splunk Authentication Properties file, write your application key manually by setting the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs ## Fetch alerts from MSSP customer's tenant using APIs
@ -193,7 +184,7 @@ You can now download the relevant configuration file for your SIEM and connect t
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md). For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
## Related topics ## See also
- [Grant MSSP access to the portal](grant-mssp-access.md) - [Grant MSSP access to the portal](grant-mssp-access.md)
- [Access the MSSP customer portal](access-mssp-portal.md) - [Access the MSSP customer portal](access-mssp-portal.md)
- [Configure alert notifications](configure-mssp-notifications.md) - [Configure alert notifications](configure-mssp-notifications.md)