diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md index 5cad458160..4465dd1ba4 100644 --- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Configure an Azure Active Directory application for SIEM integration -description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools. +description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools. keywords: configure aad for siem integration, siem integration, application, oauth 2 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,64 +21,60 @@ You need to add an application in your Azure Active Directory (AAD) tenant then 1. Login to the [Azure management portal](https://manage.windowsazure.com). -2. Select **Active Directory**. +2. Select **Active Directory**. -3. Select your tenant. +3. Select your tenant. 4. Select **Applications**, then select **Add** to create a new application. -5. Select **Add an application my organization is developing**. +5. Select **Add an application my organization is developing**. 6. Choose a client name for the application, for example, *Alert Export Client*. -7. Select **WEB APPLICATION AND/OR WEB API**. +7. Select **WEB APPLICATION AND/OR WEB API**. 8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`. 9. Confirm the request details and verify that you have successfully added the app. -10. Select the application you've just created from the directory application list and select **Configure**. +10. Select the application you've just created from the directory application list and select **Configure**. 11. Type the following URL in the **Reply URL** field: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`. -12. Scroll down to the **keys** section and select a duration for the application key. +12. Scroll down to the **keys** section and select a duration for the application key. 13. Select **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory. 14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=&clientSecret=1234`. An Azure login page appears. > **Notes:**   -- Replace *tenant ID* with your actual tenant ID. +- Replace *tenant ID* with your actual tenant ID. - Keep the client secret as is. This is a dummy value, but the parameter must appear. -15. Sign in with the credentials of a user from your tenant. +15. Sign in with the credentials of a user from your tenant. -16. Select **Accept** to provide consent. Ignore the error. +16. Select **Accept** to provide consent. Ignore the error. -17. Select **Application configuration** under your tenant. +17. Select **Application configuration** under your tenant. 18. Select **Permissions to other applications**, then select **Add application**. 19. Select **All apps** from the **SHOW** field and submit. -20. Select **SevilleAlertExport** [RONEN, I ASSUME THIS WILL BE RENAMED?], then select **+** to add the application. You should see it on the **SELECTED** panel. +20. Select **SevilleAlertExport** [RONEN, I ASSUME THIS WILL BE RENAMED?], then select **+** to add the application. You should see it on the **SELECTED** panel. 21. Submit your changes. 22. On the **SevilleAlertExport** record, in the **Delegated Permissions** field, select **Access SevilleAlertExport**. -23. Save the application changes. +23. Save the application changes. -After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. +After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. -RONEN - I THINK I'M MISSING SOME STEPS HERE - I THINK I NEED TO PUT IN INFORMATION ON CLICK VIEW ENDPOINT SO THAT CUSTOMERS CAN SEE THEIR OAUTH 2 TOKEN ENDPOINT AND OAUTH 2 AUTHORIZATION ENDPOINT DETAILS. +RONEN - I THINK I'M MISSING SOME STEPS HERE - I THINK I NEED TO PUT IN INFORMATION ON CLICK VIEW ENDPOINT SO THAT CUSTOMERS CAN SEE THEIR OAUTH 2 TOKEN ENDPOINT AND OAUTH 2 AUTHORIZATION ENDPOINT DETAILS. SHOULD I INCLUDE THOSE INFORMATION HERE? OR CREATE A SEPARATE TOPIC FOR THAT? OR INCLUDE IT IN THE SPLUNK/ARCSIGHT STEPS? ## Related topics -- Configure Splunk -- Configure HP ArcSight - - - - +- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index dd0655939d..66cefde656 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -119,7 +119,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection Value = 0 - block sample collection Value = 1 - allow sample collection ``` -5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](configure-gp-windows-defender-advanced-threat-protection.md). +5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). > **Note**  If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.