From 6718c0a0fdbf9b84c5296c8c6725c93411dedec1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 9 Jan 2017 11:11:12 -0800 Subject: [PATCH] add properties file --- .../WDATP-Connector.jsonparser.properties | 125 ++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 9 +- 2 files changed, 132 insertions(+), 2 deletions(-) create mode 100644 windows/keep-secure/WDATP-Connector.jsonparser.properties diff --git a/windows/keep-secure/WDATP-Connector.jsonparser.properties b/windows/keep-secure/WDATP-Connector.jsonparser.properties new file mode 100644 index 0000000000..71883b6f93 --- /dev/null +++ b/windows/keep-secure/WDATP-Connector.jsonparser.properties @@ -0,0 +1,125 @@ +#json parser file for Windows Defender ATP alerts +trigger.node.location=/ +token.count=22 + +token[0].name=AlertTime +token[0].type=String +token[0].location=AlertTime + +token[1].name=ComputerDnsName +token[1].type=String +token[1].location=ComputerDnsName + +token[2].name=AlertTitle +token[2].type=String +token[2].location=AlertTitle + +token[3].name=Category +token[3].type=String +token[3].location=Category + +token[4].name=Severity +token[4].type=String +token[4].location=Severity + +token[5].name=AlertId +token[5].type=String +token[5].location=AlertId + +token[6].name=Actor +token[6].type=String +token[6].location=Actor + +token[7].name=LinkToWDATP +token[7].type=String +token[7].location=LinkToWDATP + +token[8].name=IocName +token[8].type=String +token[8].location=IocName + +token[9].name=IocValue +token[9].type=String +token[9].location=IocValue + +token[10].name=CreatorIocName +token[10].type=String +token[10].location=CreatorIocName + +token[11].name=CreatorIocValue +token[11].type=String +token[11].location=CreatorIocValue + +token[12].name=FileHash +token[12].type=String +token[12].location=FileHash + +token[13].name=FileName +token[13].type=String +token[13].location=FileName + +token[14].name=FilePath +token[14].type=String +token[14].location=FilePath + +token[15].name=IpAddress +token[15].type=IPAddress +token[15].location=IpAddress + +token[16].name=Url +token[16].type=String +token[16].location=Url + +token[17].name=IoaDefinitionId +token[17].type=String +token[17].location=IoaDefinitionId + +token[18].name=UserName +token[18].type=String +token[18].location=UserName + +token[19].name=AlertPart +token[19].type=Integer +token[19].location=AlertPart + +token[20].name=FullId +token[20].type=String +token[20].location=FullId + +token[21].name=LastProcessedTimeUtc +token[21].type=String +token[21].location=LastProcessedTimeUtc + +event.deviceVendor=__stringConstant("Microsoft") +event.deviceProduct=__stringConstant("Windows Defender ATP") +event.deviceVersion=__stringConstant("1.0") + +event.deviceReceiptTime=__createOptionalTimeStampFromString(AlertTime,"yyyy-MM-dd'T'hh\:mm\:ss") +event.sourceDnsDomain=ComputerDnsName +event.name=AlertTitle +event.deviceEventCategory=Category +event.deviceSeverity=Severity +event.externalId=AlertId +event.deviceCustomString1=Actor +event.deviceCustomString1Label=__stringConstant("Actor") +event.deviceCustomString2=LinkToWDATP +event.deviceCustomString2Label=__stringConstant("Link to WDATP") +event.deviceCustomString3=IocName +event.deviceCustomString3Label=__stringConstant("IOC Name") +event.deviceCustomString4=IocValue +event.deviceCustomString4Label=__stringConstant("IOC Value") +event.deviceCustomString5=CreatorIocName +event.deviceCustomString5Label=__stringConstant("Creator IOC Name") +event.deviceCustomString6=CreatorIocValue +event.deviceCustomString6Label=__stringConstant("Creator IOC Value") +event.fileHash=FileHash +event.fileName=FileName +event.filePath=FilePath +event.sourceAddress=IpAddress +event.sourceUserName=UserName +event.requestUrl=Url +event.message=FullId + +severity.map.high.if.deviceSeverity=High +severity.map.medium.if.deviceSeverity=Medium +severity.map.low.if.deviceSeverity=Low diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 614004d2dc..3bcc8701fa 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -25,11 +25,16 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP ## Before you begin -- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: +1. Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: - OAuth 2 Token refresh URL - OAuth 2 Client ID - OAuth 2 Client secret -- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide. +2. Download the [wdatp-connector.properties](WDATP-connector.properties) file and update the values according to the following: + + - client_ID value: OAuth 2 Client ID + - client_secret value: OAuth 2 Client secret + - auth_url value: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ``` + - redirect_uri value: Keep default value > [!NOTE] > **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com```