mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 06:47:21 +00:00
add properties file
This commit is contained in:
Joey Caparas
parent
b530a3a3ac
commit
6718c0a0fd
125
windows/keep-secure/WDATP-Connector.jsonparser.properties
Normal file
125
windows/keep-secure/WDATP-Connector.jsonparser.properties
Normal file
@ -0,0 +1,125 @@
|
||||
#json parser file for Windows Defender ATP alerts
|
||||
trigger.node.location=/
|
||||
token.count=22
|
||||
|
||||
token[0].name=AlertTime
|
||||
token[0].type=String
|
||||
token[0].location=AlertTime
|
||||
|
||||
token[1].name=ComputerDnsName
|
||||
token[1].type=String
|
||||
token[1].location=ComputerDnsName
|
||||
|
||||
token[2].name=AlertTitle
|
||||
token[2].type=String
|
||||
token[2].location=AlertTitle
|
||||
|
||||
token[3].name=Category
|
||||
token[3].type=String
|
||||
token[3].location=Category
|
||||
|
||||
token[4].name=Severity
|
||||
token[4].type=String
|
||||
token[4].location=Severity
|
||||
|
||||
token[5].name=AlertId
|
||||
token[5].type=String
|
||||
token[5].location=AlertId
|
||||
|
||||
token[6].name=Actor
|
||||
token[6].type=String
|
||||
token[6].location=Actor
|
||||
|
||||
token[7].name=LinkToWDATP
|
||||
token[7].type=String
|
||||
token[7].location=LinkToWDATP
|
||||
|
||||
token[8].name=IocName
|
||||
token[8].type=String
|
||||
token[8].location=IocName
|
||||
|
||||
token[9].name=IocValue
|
||||
token[9].type=String
|
||||
token[9].location=IocValue
|
||||
|
||||
token[10].name=CreatorIocName
|
||||
token[10].type=String
|
||||
token[10].location=CreatorIocName
|
||||
|
||||
token[11].name=CreatorIocValue
|
||||
token[11].type=String
|
||||
token[11].location=CreatorIocValue
|
||||
|
||||
token[12].name=FileHash
|
||||
token[12].type=String
|
||||
token[12].location=FileHash
|
||||
|
||||
token[13].name=FileName
|
||||
token[13].type=String
|
||||
token[13].location=FileName
|
||||
|
||||
token[14].name=FilePath
|
||||
token[14].type=String
|
||||
token[14].location=FilePath
|
||||
|
||||
token[15].name=IpAddress
|
||||
token[15].type=IPAddress
|
||||
token[15].location=IpAddress
|
||||
|
||||
token[16].name=Url
|
||||
token[16].type=String
|
||||
token[16].location=Url
|
||||
|
||||
token[17].name=IoaDefinitionId
|
||||
token[17].type=String
|
||||
token[17].location=IoaDefinitionId
|
||||
|
||||
token[18].name=UserName
|
||||
token[18].type=String
|
||||
token[18].location=UserName
|
||||
|
||||
token[19].name=AlertPart
|
||||
token[19].type=Integer
|
||||
token[19].location=AlertPart
|
||||
|
||||
token[20].name=FullId
|
||||
token[20].type=String
|
||||
token[20].location=FullId
|
||||
|
||||
token[21].name=LastProcessedTimeUtc
|
||||
token[21].type=String
|
||||
token[21].location=LastProcessedTimeUtc
|
||||
|
||||
event.deviceVendor=__stringConstant("Microsoft")
|
||||
event.deviceProduct=__stringConstant("Windows Defender ATP")
|
||||
event.deviceVersion=__stringConstant("1.0")
|
||||
|
||||
event.deviceReceiptTime=__createOptionalTimeStampFromString(AlertTime,"yyyy-MM-dd'T'hh\:mm\:ss")
|
||||
event.sourceDnsDomain=ComputerDnsName
|
||||
event.name=AlertTitle
|
||||
event.deviceEventCategory=Category
|
||||
event.deviceSeverity=Severity
|
||||
event.externalId=AlertId
|
||||
event.deviceCustomString1=Actor
|
||||
event.deviceCustomString1Label=__stringConstant("Actor")
|
||||
event.deviceCustomString2=LinkToWDATP
|
||||
event.deviceCustomString2Label=__stringConstant("Link to WDATP")
|
||||
event.deviceCustomString3=IocName
|
||||
event.deviceCustomString3Label=__stringConstant("IOC Name")
|
||||
event.deviceCustomString4=IocValue
|
||||
event.deviceCustomString4Label=__stringConstant("IOC Value")
|
||||
event.deviceCustomString5=CreatorIocName
|
||||
event.deviceCustomString5Label=__stringConstant("Creator IOC Name")
|
||||
event.deviceCustomString6=CreatorIocValue
|
||||
event.deviceCustomString6Label=__stringConstant("Creator IOC Value")
|
||||
event.fileHash=FileHash
|
||||
event.fileName=FileName
|
||||
event.filePath=FilePath
|
||||
event.sourceAddress=IpAddress
|
||||
event.sourceUserName=UserName
|
||||
event.requestUrl=Url
|
||||
event.message=FullId
|
||||
|
||||
severity.map.high.if.deviceSeverity=High
|
||||
severity.map.medium.if.deviceSeverity=Medium
|
||||
severity.map.low.if.deviceSeverity=Low
|
||||
@ -25,11 +25,16 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
|
||||
1. Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
|
||||
- OAuth 2 Token refresh URL
|
||||
- OAuth 2 Client ID
|
||||
- OAuth 2 Client secret
|
||||
- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide.
|
||||
2. Download the [wdatp-connector.properties](WDATP-connector.properties) file and update the values according to the following:
|
||||
|
||||
- client_ID value: OAuth 2 Client ID
|
||||
- client_secret value: OAuth 2 Client secret
|
||||
- auth_url value: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
|
||||
- redirect_uri value: Keep default value
|
||||
|
||||
> [!NOTE]
|
||||
> **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com``` <br>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user