deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add related topic for incident content, add mssp content

Browse Source
This commit is contained in:
Joey Caparas
2018-08-25 13:15:51 -07:00
parent 119696c921
commit 4d5c6d2e10
7 changed files with 331 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -63,11 +63,12 @@
###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) ###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
### [Auto investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) ### [Auto investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md)
### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) ### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
#### [Threat analytics](threat-analytics.md) #### [Threat analytics](threat-analytics.md)
#### [Threat analytics for Spectre and meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) #### [Threat analytics for Spectre and meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) ### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)
#### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) #### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
##### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md) ##### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
@ -76,7 +77,6 @@
#####[Create custom detections rules](custom-detection-rules.md) #####[Create custom detections rules](custom-detection-rules.md)
### [Management and APIs](management-apis.md) ### [Management and APIs](management-apis.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
@ -139,13 +139,16 @@
###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md) ###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
#### [Managed service provider provider support](mssp-support-windows-defender-advanced-threat-protection.md)
### [Microsoft threat protection](threat-protection-integration.md) ### [Microsoft threat protection](threat-protection-integration.md)
#### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) #### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
#### [Overview of Microsoft Cloud App Security integration](overview-mcas-integration.md)
#### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md) #### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md)
### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
## [Get started](get-started.md) ## [Get started](get-started.md)
### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
@ -300,6 +303,7 @@
###### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) ###### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
####### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md) ####### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md)
#### [Configure Managed security service provider support]()
### Configure Microsoft threat protection integration ### Configure Microsoft threat protection integration
#### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md)

256
windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,256 @@
---
title: Configure managed security service provider support
description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/03/2018
---
# Configure managed security service provider integration
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease<73>information](prerelease.md)]
You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
>[!NOTE]
>The following terms are used in this article to distinguish between the service provider and service consumer:
> - MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
> - MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:
- Get access to MSSP customer<65>s Windows Defender Security Center portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
## Initial steps
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, , other configuration steps can be done by either the MSSP customer or the MSSP.
In general, the following configuration steps need to be taken
- **Action**: Configure managed service provider user access to the Windows Defender Security Center portal. <br> **Taken by**: MSSP customer
- **Action**: Configure alert notifications sent to MSSPs <br> **Taken by**: MSSP customer or MSSP
- **Action**: Fetch alerts from MSSP customer's tenant into SIEM system <br> **Taken by**: MSSP
- **Action**: [LZ]Fetch data using WD ATP API's <br> **Taken by**: MSSP
## Configure managed service provider user access to the portal
>[!NOTE]
>These set of steps are directed towards the MSSP customer. Access to the portal can can only be done by the MSSP customer.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
Adding a guest user is done in a similar way to regular users. They must be added to a corresponding group.
For role-based access control (RBAC) version 1 customers: Guest users must be assigned to directory roles (security administrator or security reader).
For role-based access control (RBAC) version 2 customers: Guest users must be added to corresponding group or groups.
Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection).
>[!NOTE]
> There is no difference between the Member user and Guest user roles from RBAC perspective.
It is recommended that groups are created for MSSPs to make authorization access more manageable.
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
## Access the Windows Defender Security Center MSSP customer portal
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=target_tenant_id` to access the MSSP customer portal.
In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
1. As an MSSP, login to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
3. Select** Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the `tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=target_tenant_id`.
## Configure alert notifications that are sent to MSSPs
>[!NOTE]
>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications).
These check boxes must be checked:
- **Include organization name** - The customer name will be added to email notifications
- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
## Fetch alerts from customer tenants into mssp SIEM system
To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application <br>
Step 2: Get access and refresh tokens from your customer's tenant <br>
Step 3: Whitelist your application on Windows Defender Security Center
## Customer steps
## Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
3. Click **New application registration**.
4. Specify the following values:
- Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- Application type: Web app / API
- Sign-on URL: `https://SiemMsspConnector`
5. Click **Create**. The application is displayed in the list of applications you own.
6. Select the application, then click **Settings** > **Properties**.
7. Copy the value from the **Application ID** field.
8. Change the value in the **App ID URI** to: `https://<domain_name>/SiemMsspConnector` (replace \<domain_name\> with the tenant name.
9. Ensure that the **Multi-tenanted** field is set to **Yes**.
10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`.
11. Click **Save**.
12. Select **Keys** and specify the following values:
- Description: Enter a description for the key.
- Expires: Select **In 1 year**
13. Click **Save**. Save the value is a safe place, you'll need this
## Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
1. Create a new folder and name it: `MsspTokensAcquisition`.
2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
>[!NOTE]
>In line 30, replace `authorzationUrl` with `authorizationUrl`.
3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
```
param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Load our Login Browser Function
Import-Module .\LoginBrowser.psm1
# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"
Write-Host 'Prompt the user for his credentials, to get an authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri, $resourceId)
Write-Host "authorzationUrl: $authorizationUrl"
# Fake a proper endpoint for the Redirect URI
$code = LoginBrowser $authorizationUrl $redirectUri
# Acquire token using the authorization code
$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}
$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token
Write-Host " ----------------------------------- TOKEN ---------------------------------- "
Write-Host $token
Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
Write-Host $refreshToken
```
4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
5. Run the following command:
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
- Replace \<client_id\> with the Application ID you got from the previous step.
- Replace \<app_key\> with the application key you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's tenant ID.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
## Step 3: Whitelist your application on Windows Defender Security Center
You'll need to whitelist the application you created in Windows Defender Security Center.
You'll need to have Manage portal system settings permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
2. Click **Settings** > **SIEM**.
3. Select the **MSSP** tab.
4. Enter the Application ID from the first step and your Tenant ID.
5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md).
- In the ArcSight configuration file / Splunk Authentication Properties file <20> you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).

9
windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md
View File

@ -9,8 +9,9 @@ ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: medium ms.localizationpriority: high
ms.date: 0 ms.date: 09/03/2018
---
# Investigate incidents in Windows Defender ATP # Investigate incidents in Windows Defender ATP
@ -59,6 +60,8 @@ You can click the circles on the incident graph to view the details of the malic
![Image of indcident details](images/atp-incident-graph-details.png) ![Image of indcident details](images/atp-incident-graph-details.png)
## Related topics ## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md)
- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)

7
windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md
View File

@ -9,8 +9,9 @@ ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: medium ms.localizationpriority: high
ms.date: 0 ms.date: 09/03/2018
---
# Manage Windows Defender ATP incidents # Manage Windows Defender ATP incidents
@ -57,4 +58,6 @@ Whenever a change or comment is made to an alert, it is recorded in the Comments
Added comments instantly appear on the pane. Added comments instantly appear on the pane.
## Related topics ## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md) - [View and organize the Incidents queue](view-incidents-queue.md)
- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)

7
windows/security/threat-protection/windows-defender-atp/management-apis.md
View File

@ -15,6 +15,11 @@ ms.date: 09/03/2018
# Overview of management and APIs # Overview of management and APIs
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink)
Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform. Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with flexibility and granular control to fit varying customer requirements. Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with flexibility and granular control to fit varying customer requirements.
@ -43,4 +48,6 @@ An important aspect of machine management is the ability to analyze the environm
- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) - [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) - [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- [Role-based access control](rbac-windows-defender-advanced-threat-protection.md)

45
windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Managed security service provider (MSSP) support
description: Understand how Windows Defender ATP integrates with managed security service providers (MSSP)
keywords: mssp, integration, managed, security, service, provider
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/03/2018
---
# Managed security service provider support
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease<73>information](prerelease.md)]
Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Windows Defender ATP.
Windows Defender ATP adds support for this scenario by providing MSSP integration.
The integration will allow MSSPs to take the following actions:
- Get access to MSSP customer<65>s Windows Defender Security Center portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
## Related topic
- [Configure managed security service provider integration](configure-mssp-support-windows-defender-advanced-threat-protection.md)

4
windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md
View File

@ -68,3 +68,7 @@ You can choose to limit the list of incidents shown based on their status to see
Use this filter to choose between focusing on incidents flagged as true alerts or false alerts. Use this filter to choose between focusing on incidents flagged as true alerts or false alerts.
## Related topics ## Related topics
- [Incidents queue](incidents-queue.md)
- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)