diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 26494aa53f..35d2fd1688 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -38,8 +38,9 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP - **auth_url**: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ``` For example: `https:////oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com` + - **token_url**: Use your tenant ID URL [JOEY: NOT SURE IF THIS IS CORRECT - PLEASE HELP PROVIDE TECHNICAL DESCRIPTION] - **redirect_uri**: ```https://localhost:44300/wdatpconnector``` - - **scope**: Can be left blank but must be present + - **scope**: Leave blank [JOEY: NOT SURE IF THIS IS CORRECT - PLEASE CHECK] 3. Download the wdatp-connector.json.properties file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. (JOEY: UPLOAD FILE IN DOWNLOAD CENTER) @@ -47,61 +48,94 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP ## Install and configure HP ArcSight SmartConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). -1. Install the latest 32-bit Windows SmartConnector installer. how to get? JOEY: Hi Aviv, is it this one: https://marketplace.saas.hpe.com/arcsight/content/connector ? +1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in `C:\ArcSightSmartConnectors\\`. -2. Follow the on-screen instructions. The tool is typically installed in `C:\ArcSightSmartConnectors\\`. - -3. Open File Explorer to the installation location and put the two configuration files the following location: +2. Open File Explorer and put the two configuration files in the installation location, for example: - WDATP-connector.jsonparser.properties: `C:\ArcSightSmartConnectors\\current\user\agent\flexagent\` - WDATP-connector.properties: `C:\ArcSightSmartConnectors\\` +[AVIV - I BELIEVE THERE ARE SEVERAL SCREENS BEFORE THE CONNECTOR SETUP IS DISPLAYED. CAN YOU PROVIDE THOSE PLEASE?] + +3. In the Connector Setup window, select **Add a Connector**. + + ![Connector Setup window - select Add a Connector](images/hp-1.png) + 4. Select the ArcSight FlexConnector REST connector. +![Connector Setup window - select ArcSight FlexConnector REST](images/hp-2.png) + 5. Generate a refresh token to use in the installer: - a. Open a command prompt. Browse to `C:\ArcSightSmartConnectors\\current\bin` + a. Open a command prompt. Browse to `C:\ArcSightSmartConnectors\\current\bin` - b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties` - A Web browser window will open. + b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties` + A Web browser window will open. - c. Type in `@microsoft.com` then click on the password field to let the page redirect. + c. Type in your credentials then click on the password field to let the page redirect. - d. In the login prompt enter your `DOMAIN\alias` and your password. You will be redirected a couple of times. After providing permission to the App (JOEY: QUESTION: PERMISSION TO WHAT? ACCESS THE AAD APP?) A token is shown. + d. In the login prompt enter your `DOMAIN\alias` [AVIV - ARE WE SURE OUR CUSTOMERS FULLOW THE SAME DOMAIN\ALIAS FORMAT?] and your password. After some redirects and providing permission to the app, a token is provided in the command prompt. - f. Save the token in a secure location. + f. Save the token in a secure location. - ---- - 6. In the form fill in the following required parameters with these values: -All other values in the form are optional and can be left blank. -Field Value -Configuration File Type in the name of the client property file. It must match the client property file. -Events URL https://DataAccess-PRD.trafficmanager.net:444/api/alerts -Authentication Type OAuth 2 -OAuth 2 Client Properties file Select wdatp-connector.properties. -Refresh Token Paste the refresh token you generated in the previous steps. +6. Type the following required parameters in the parameter details form. All other values in the form are optional and can be left blank. -7. Destination: ArcSight Manager (encrypted) +![Connector Setup - Enter parameter details](images/hp-3.png) + +Field | Value +:---|:--- +Configuration File | Type in the name of the client property file. It must match the client property file. +Events URL | https://DataAccess-PRD.trafficmanager.net:444/api/alerts +Authentication Type | OAuth 2 +OAuth 2 Client Properties file | Select wdatp-connector.properties. +Refresh Token | Paste the refresh token you generated in the previous step. + +You can leave the destination parameter fields with the default values. + +Type in a name for the connector. You can leave the other fields blank. +![Connector Setup - Enter connector details](images/hp-6.png) +[JOEY: REMOVE WDATP FROM IMAGE] + +[AVIV - NEED SCREENSHOTS FOR STEPS 7-13] + +7. Destination: ArcSight Manager (encrypted) 8. Connector details 9. Name: WDATP 10. Import the ESM certificate 11. Install as a service 12. Internal Name: WDATP -13. Finish with the installer. -Note: -The connector is not yet running, run manually for the first time to see any errors. - From the cmd shell open, still in C:\ArcSightSmartConnectors\\current\bin, run: arcsight.bat connectors -If you see this error: Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token : -a) Kill the process (ctrl-c) -b) Edit C:\ArcSightSmartConnectors_Prod\\WDATP-connector.properties and add this: -reauthenticate=true -c) re-run the command line connector start: arcsight.bat connectors -d) A browser window should appear, allow it to run, it should disappear, and the connector should be now running. -Note: To be sure kill the process again (ctrl-c), start again, and no browser window should appear -e) To verify events are flowing (a good filter initially is Device Product = Windows Defender ATP). If so kill the process again and go to Windows Services and start the ArcSight FlexConnector REST for WDATP +13. Finish with the installer. +14. Run the connector by running the following command from the installation directory, for example: ` C:\ArcSightSmartConnectors\\current\bin, run: arcsight.bat connectors` -## HP ArcSight -JOEY: what is this section going to talk about? Settings? +15. Verify events are flowing by setting the initial filter to Device Product = Windows Defender ATP. If so stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. +[BRIAN/AVIV - I CREATED A TROUBLSHOOTING SECTION AND MOVED SOME CONTENT THERE. CAN YOU VERIFY IF MY UNDERSTANTING IS CORRECT PLEASE?] + +## HP ArcSight queries [AVIV, SHOULD WE CALL IT QUERY?] +You can now run queries in the HP ArcSight console. + +In the HP ArcSight console, create a Windows Defender ATP channel with intervals and properties suitable to your enterprise needs. + +Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. + + +## Troubleshooting HP ArcSight connection [AVIV/BRIAN - SHOULD WE CALL IT CONNECTION?] +**Problem:** Failed to refresh the token. + +**Symptom:** You get the following error message: + +`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token` + +**Solution:** +1. Stop the process. +2. Edit the properties file: `C:\ArcSightSmartConnectors_Prod\\WDATP-connector.properties` and add the following value: +`reauthenticate=true`. + +3. Restart the connector by running the following command: `arcsight.bat connectors`. + + A browser window appears. Allow it to run, it should disappear, and the connector should now be running. + + > [!NOTE] + > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics - [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/images/hp-1.png b/windows/keep-secure/images/hp-1.png new file mode 100644 index 0000000000..d841d1b4af Binary files /dev/null and b/windows/keep-secure/images/hp-1.png differ diff --git a/windows/keep-secure/images/hp-2.png b/windows/keep-secure/images/hp-2.png new file mode 100644 index 0000000000..27a21927bc Binary files /dev/null and b/windows/keep-secure/images/hp-2.png differ diff --git a/windows/keep-secure/images/hp-3.png b/windows/keep-secure/images/hp-3.png new file mode 100644 index 0000000000..6c897b6a9c Binary files /dev/null and b/windows/keep-secure/images/hp-3.png differ diff --git a/windows/keep-secure/images/hp-4.png b/windows/keep-secure/images/hp-4.png new file mode 100644 index 0000000000..6dffcadf90 Binary files /dev/null and b/windows/keep-secure/images/hp-4.png differ diff --git a/windows/keep-secure/images/hp-5.png b/windows/keep-secure/images/hp-5.png new file mode 100644 index 0000000000..ce350e75db Binary files /dev/null and b/windows/keep-secure/images/hp-5.png differ diff --git a/windows/keep-secure/images/hp-6.png b/windows/keep-secure/images/hp-6.png new file mode 100644 index 0000000000..5e75ff5494 Binary files /dev/null and b/windows/keep-secure/images/hp-6.png differ