diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 7ac975bb30..70133bb672 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -772,7 +772,7 @@ ##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -#### [Get alerts using REST API](generic-api-windows-defender-advanced-threat-protection.md) +#### [Pull alerts using REST API](generic-api-windows-defender-advanced-threat-protection.md) ##### [SIEM schema portal mapping](siem-portal-mapping-windows-defender-advanced-threat-protection.md) #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md index d7147d12a9..7f3ba226aa 100644 --- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal. +You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal. 1. Login to the [Azure management portal](https://ms.portal.azure.com). @@ -78,12 +78,12 @@ You need to add an application in your Azure Active Directory (AAD) tenant then 23. Save the application changes. -After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM. +After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM. ## Obtain a refresh token using an events URL Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token. >[!NOTE] ->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md). +>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md). ### Before you begin Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: @@ -111,6 +111,6 @@ You'll use these values to obtain a refresh token. After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool. ## Related topics -- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 5e3d96294d..83c4fa07da 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Configure HP ArcSight to consume Windows Defender ATP alerts -description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal. +title: Configure HP ArcSight to pull Windows Defender ATP alerts +description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal. keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Configure HP ArcSight to consume Windows Defender ATP alerts +# Configure HP ArcSight to pull Windows Defender ATP alerts **Applies to:** @@ -21,10 +21,10 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -You'll need to install and configure some files and tools to use HP ArcSight so that it can consume Windows Defender ATP alerts. +You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to consume and parse alerts from your Azure Active Directory (AAD) application. +Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -178,6 +178,6 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md index cf7c769cb5..a70a185dc7 100644 --- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection -description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API. +title: Pull alerts and create custom indicators in Windows Defender Advanced Threat Protection +description: Learn how to configure supported security information and events management tools to receive and pull alerts and create custom indicators using REST API. keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Consume alerts and create custom indicators +# Pull alerts and create custom indicators **Applies to:** @@ -21,8 +21,8 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -## Consume alerts using supported security information and events management (SIEM) tools -Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +## Pull alerts using supported security information and events management (SIEM) tools +Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. Windows Defender ATP currently supports the following SIEM tools: @@ -34,19 +34,21 @@ To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Configure the supported SIEM tool: - - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) + - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -## Create custom threat indicators in Windows Defender ATP -You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization. +For list of fields exposed in the Alerts API see Windows Defender ATP Alerts API fields (change title of the page according to link and add this part only once we finish working on the article with table of fields) + +## Pull Windows Defender ATP alerts using REST API +Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API. +For more information, see [Pull Windows Defender ATP alerts using REST API](generic-api-windows-defender-advanced-threat-protection.md). -For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md). ## In this section Topic | Description :---|:--- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. - [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts. - [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts. - [Generic API] | Learn how to use a generic API to consume alerts from Windows Defender ATP. + [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. + [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. + [Pull Windows Defender ATP alerts using REST API](generic-api-windows-defender-advanced-threat-protection.md) | Learn how to use REST API to pull alerts from Windows Defender ATP. diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index fc83f08574..18fa8ef5d5 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Configure Splunk to consume Windows Defender ATP alerts -description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal. +title: Configure Splunk to pull Windows Defender ATP alerts +description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Configure Splunk to consume Windows Defender ATP alerts +# Configure Splunk to pull Windows Defender ATP alerts **Applies to:** @@ -21,7 +21,7 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -You'll need to configure Splunk so that it can consume Windows Defender ATP alerts. +You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. ## Before you begin @@ -132,6 +132,6 @@ Use the solution explorer to view alerts in Splunk. ## Related topics -- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md index cc7b1fa4a9..e96c6b4709 100644 --- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -46,6 +46,6 @@ Enable security information and event management (SIEM) integration so that you You can now proceed with configuring your SIEM solution. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. ## Related topics -- [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) - Configure generic API diff --git a/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md index db257ac2a3..82a534cb77 100644 --- a/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Get Windows Defender ATP alerts using REST API -description: Get alerts from the Windows Defender ATP portal REST API. -keywords: alerts, get alerts, rest api, request, response, +title: Pull Windows Defender ATP alerts using REST API +description: Pull alerts from the Windows Defender ATP portal REST API. +keywords: alerts, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Get Windows Defender ATP alerts using REST API +# Pull Windows Defender ATP alerts using REST API **Applies to:** @@ -21,7 +21,7 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Windows Defender ATP supports the OAuth 2.0 protocol to consume alerts from the portal. +Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal. In general, the OAuth 2.0 protocol supports four types of flows: - Authorization grant flow @@ -37,10 +37,10 @@ The _Authorization grant flow_ uses user credentials to get an authorization cod The _Client credential flow_ uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. -Use the following method in the Windows Defender ATP API to get alerts in JSON format. +Use the following method in the Windows Defender ATP API to pull alerts in JSON format. ## Before you begin -- Before calling the Windows Defender ATP endpoint to get alerts, you'll need to enable the threat intelligence application in Azure Active Directory (AAD). For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). +- Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the threat intelligence application in Azure Active Directory (AAD). For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app: - Application ID (unique to your application) diff --git a/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md index 21f4217328..20a45772f7 100644 --- a/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Security information and events management (SIEM) schema and portal mapping description: Understand how the SIEM schema maps to the values in the Windows Defender ATP portal. -keywords: alerts, get alerts, rest api, request, response, +keywords: alerts, pull alerts, rest api, request, response, search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy