deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates from sme

Browse Source
This commit is contained in:
Joey Caparas 2017-01-17 15:27:31 -08:00
parent 41b387593c
commit 6ffc0dcf3f
4 changed files with 21 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -24,7 +24,7 @@ localizationpriority: high
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://manage.windowsazure.com).
1. Login to the [Azure management portal](https://ms.portal.azure.com).
>!NOTE:
>Use your Azure credentials not the Windows Defender Advanced Threat protection portal credentials.
@ -80,30 +80,35 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
23. Save the application changes.
After configuring the application in AAD, you'll need to generate a refresh token. The refresh token is required when setting up an SIEM tool to consume alerts from Windows Defender ATP. Without the refresh token, the AAD application will not be authorized to provide alerts to your chosen SIEM tool. [AVIV IS THE LAST SENTENCE CORRECT? PLEASE CHECK.]
After configuring the application in AAD, you'll need to obtain a refresh token to be used when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM.
## Generate a refresh token
Windows Defender ATP provides an events URL that you can use to generate refresh tokens. Some SIEM applications also include tools that allow you to generate refresh tokens. This section provides information on how you can generate a refresh token using an events URL.
## Obtain a refresh token
This section provides information on how you can use an events URL to obtain a refresh token. Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM.
>[!NOTE]
>For HP ArcSight, you can obtain a refresh token using the restutil tool.
### Before you begin
Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
You'll use these values to generate the refresh token.
You'll use these values to obtain a refresh token.
### Generate the refresh token
>[!IMPORTANT]
>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret.
### Obtain a refresh token
1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=<client ID>&tenantId=<tenant ID>&clientSecret=<client secret>`
>[!NOTE]
>- Replace the *client ID* value with the one you got from your AAD application.
>- Replace *tenant ID* with your actual tenant ID.
>- Replace *client secret* with your encoded client secret. The client secret **must** be encoded.
>- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded.
2. Click **Accept**. A file is returned with your refresh token.
[AVIV, PLEASE PROVIDE IMAGE OF SCREENCAP OF RETURNED VALUE WITH THE REFRESH TOKEN. JOEY: BLUR OUT ALL THE OTHER INFORMATION.]
2. Click **Accept**. When you authenticate, a web page opens with your refresh token.
![Image of web page with refresh token](images/atp-refresh-token.png)
3. Save the refresh token value in a safe place. You'll need this value when configuring your SIEM tool.

11
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -29,8 +29,7 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- Download the *WDATP-connector.properties* file and update the following values:
(JOEY: PUT IN THE LINK FROM DOWNLOAD MANAGEMENT STUDIO)
- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values:
- **client_ID**: OAuth 2 Client ID
- **client_secret**: OAuth 2 Client secret
@ -47,15 +46,15 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
- **redirect_uri**: ```https://localhost:44300/wdatpconnector```
- **scope**: Leave the value blank
- Download the *WDATP-connector.jsonparser.properties* file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. (JOEY: PUT IN THE LINK FROM DOWNLOAD MANAGEMENT STUDIO)
- Download the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties). This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet.
## Configure HP ArcSight
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide.
1. Save the *wdatp-connector.jsonparser.properties* file into the connector installation folder. The
1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder. The
2. Save the *wdatp-connector.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
2. Save the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
3. Open an elevated command-line:
@ -89,7 +88,7 @@ The following steps assume that you have completed all the required steps in [Be
<td>Select *wdatp-connector.properties*.</td>
<tr>
<td>Refresh Token</td>
<td>You can use the Windows Defender ATP events URL or the restutil tool to get generate a refresh token. <br> For more information on getting your refresh token using the events URL, see [Generate a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#generate-a-refresh-token). </br> </br>**To get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br></br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Paste the value in the form.
<td>You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token. <br> For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). </br> </br>**To get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br></br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Paste the value in the form.
</td>
</tr>
</tr>

2
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -26,7 +26,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Generate your refresh token. For more information, see [Generate a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#generate-a-refresh-token).
- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID

BIN
windows/keep-secure/images/atp-refresh-token.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 224 KiB