diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index fbe3783a63..79f71ea262 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/08/2018 +ms.date: 12/04/2018 --- # Enable SIEM integration in Windows Defender ATP @@ -20,20 +20,26 @@ ms.date: 10/08/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. +## Prerequisites +- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. +- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site. + +## Enabling SIEM integration 1. In the navigation pane, select **Settings** > **SIEM**. - ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png) + ![Image of SIEM integration from Settings menu](images/enable_siem.png) 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. - > [!WARNING] - >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
- For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + > [!WARNING] + >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + + ![Image of SIEM integration from Settings menu](images/siem_details.png) 3. Choose the SIEM type you use in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png new file mode 100644 index 0000000000..ac8a62b883 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/siem_details.png b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png new file mode 100644 index 0000000000..94c724f0c8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png differ