deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Joey Caparas 2017-01-13 19:23:19 -08:00
parent dc5762f1b0
commit 6de731e1fb
3 changed files with 56 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -25,6 +25,8 @@ localizationpriority: high
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal. You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://manage.windowsazure.com). 1. Login to the [Azure management portal](https://manage.windowsazure.com).
>!NOTE:
>Use your Azure credentials not the Windows Defender Advanced Threat protection portal credentials.
2. Select **Active Directory**. 2. Select **Active Directory**.
@ -78,7 +80,32 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
23. Save the application changes. 23. Save the application changes.
After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. After configuring the application in AAD, you'll need to generate a refresh token. The refresh token is required when setting up an SIEM tool to consume alerts from Windows Defender ATP. Without the refresh token, the AAD application will not be authorized to provide alerts to your chosen SIEM tool. [AVIV IS THE LAST SENTENCE CORRECT? PLEASE CHECK.]
## Generate a refresh token
Windows Defender ATP provides an events URL that you can use to generate refresh tokens. Some SIEM applications also include tools that allow you to generate refresh tokens. This section provides information on how you can generate a refresh token using an events URL.
### Before you begin
Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
You'll use these values to generate the refresh token.
### Generate the refresh token
1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=<client ID>&tenantId=<tenant ID>&clientSecret=<client secret>`
>[!NOTE]
>- Replace the *client ID* value with the one you got from your AAD application.
>- Replace *tenant ID* with your actual tenant ID.
>- Replace *client secret* with your encoded client secret. The client secret **must** be encoded.
2. Click **Accept**. A file is returned with your refresh token.
[AVIV, PLEASE PROVIDE IMAGE OF SCREENCAP OF RETURNED VALUE WITH THE REFRESH TOKEN. JOEY: BLUR OUT ALL THE OTHER INFORMATION.]
3. Save the refresh token value in a safe place. You'll need this value when configuring your SIEM tool.
## Related topics ## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) - [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)

38
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -25,26 +25,37 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
## Before you begin ## Before you begin
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: - Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL - OAuth 2 Token refresh URL
- OAuth 2 Client ID - OAuth 2 Client ID
- OAuth 2 Client secret - OAuth 2 Client secret
- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide. - Download the *WDATP-connector.properties* file and update the following values:
(JOEY: PUT IN THE LINK FROM DOWNLOAD MANAGEMENT STUDIO)
> [!NOTE] - **client_ID**: OAuth 2 Client ID
> **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com``` <br> - **client_secret**: OAuth 2 Client secret
> **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector``` - **auth_url**: ```https://login.microsoftonline.com/<tenantID>?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
>
- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. >!NOTE
- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. >Replace *tenantID* with your tenant ID.
- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide.
- **token_url**: `https://login.microsoftonline.com/<tenantID>/oauth2/token`
>!NOTE
>Replace the *tenantID* value with your tenant ID.
- **redirect_uri**: ```https://localhost:44300/wdatpconnector```
- **scope**: Leave the value blank
- Download the *WDATP-connector.jsonparser.properties* file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. (JOEY: PUT IN THE LINK FROM DOWNLOAD MANAGEMENT STUDIO)
- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet.
## Configure HP ArcSight ## Configure HP ArcSight
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide.
1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder. 1. Save the *wdatp-connector.jsonparser.properties* file into the connector installation folder. The
2. Save the *wdatp-connector.properties* file into a folder of your choosing. 2. Save the *wdatp-connector.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
3. Open an elevated command-line: 3. Open an elevated command-line:
@ -78,7 +89,8 @@ The following steps assume that you have completed all the required steps in [Be
<td>Select *wdatp-connector.properties*.</td> <td>Select *wdatp-connector.properties*.</td>
<tr> <tr>
<td>Refresh Token</td> <td>Refresh Token</td>
<td>Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.</td> <td>You can use the Windows Defender ATP events URL or the restutil tool to get generate a refresh token. <br> For more information on getting your refresh token using the events URL, see [Generate a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#generate-a-refresh-token). </br> </br>**To get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br></br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Paste the value in the form.
</td>
</tr> </tr>
</tr> </tr>
</table> </table>

6
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -25,9 +25,9 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
## Before you begin ## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Contact the Windows Defender ATP team to get your refresh token - Generate your refresh token. For more information, see [Generate a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#generate-a-refresh-token).
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: - Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL - OAuth 2 Token refresh URL
- OAuth 2 Client ID - OAuth 2 Client ID
- OAuth 2 Client secret - OAuth 2 Client secret