From 7604d2b7209fc09ddc44f721cf725b520e1fbacb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 4 Apr 2017 12:39:24 -0700 Subject: [PATCH] add siem troubleshooting topic --- windows/keep-secure/TOC.md | 1 + ...e-siem-windows-defender-advanced-threat-protection.md | 9 +++++---- ...t-siem-windows-defender-advanced-threat-protection.md | 8 ++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e249568df7..a6e97434bf 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -786,6 +786,7 @@ ##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) ##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) ##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md index 31ea81e97e..5bd33553ac 100644 --- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -34,8 +34,8 @@ To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) + - [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md). @@ -51,7 +51,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull Topic | Description :---|:--- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. -[Configure ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. +[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. +[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. +[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md index a032c56479..c782fef5df 100644 --- a/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ This page provides detailed steps to troubleshoot issues you might encounter. ## Learn how to get a new client secret -If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret. +If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret. 1. Login to the [Azure management portal](https://ms.portal.azure.com). @@ -35,7 +35,7 @@ If your client secret expires or if you've misplaced the copy provided when you 3. Select your tenant. -4. Click **Application**, then select your custom threat intelligence application. The application name is **GET FROM SME**. +4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`. 5. Select **Keys** section, then provide a key description and specify the key validity duration. @@ -46,7 +46,7 @@ If your client secret expires or if you've misplaced the copy provided when you ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)