deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-25 03:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add image, update instructions

Browse Source
This commit is contained in:
jcaparas 2017-03-08 13:28:54 -08:00
parent 95453f5a31
commit c07c12a4e5
4 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/keep-secure/TOC.md
View File

@ -770,7 +770,6 @@
######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) ######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) ##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)

13
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -25,9 +25,10 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
## Before you begin ## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). - Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: - Have the refresh token that you generated from the SIEM integration feature ready.
- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- OAuth 2 Token refresh URL - OAuth 2 Token refresh URL
- OAuth 2 Client ID - OAuth 2 Client ID
- OAuth 2 Client secret - OAuth 2 Client secret
@ -66,15 +67,15 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
<td>oauth2</td> <td>oauth2</td>
<tr> <tr>
<td>OAuth 2 Token Refresh URL</td> <td>OAuth 2 Token Refresh URL</td>
<td> Value taken from AAD application</td> <td> Use the value from the file you saved from enabling the SIEM integration feature.</td>
</tr> </tr>
<tr> <tr>
<td>OAuth 2 Client ID</td> <td>OAuth 2 Client ID</td>
<td>Value taken from AAD application</td> <td>Use the value from the file you saved from enabling the SIEM integration feature.</td>
</tr> </tr>
<tr> <tr>
<td>OAuth 2 Client Secret</td> <td>OAuth 2 Client Secret</td>
<td>Value taken from AAD application</td> <td>Use the value from the file you saved from enabling the SIEM integration feature.</td>
</tr> </tr>
<tr> <tr>
<td>Response type</td> <td>Response type</td>

11
windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -25,6 +25,8 @@ Enable security information and event management (SIEM) integration so that you
1. In the navigation pane, select **Preferences setup** > **SIEM integration**. 1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
![Image of SIEM integration from Preferences setup menu](images/atp-siem-integration.png)
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
>[!WARNING] >[!WARNING]
@ -32,9 +34,18 @@ Enable security information and event management (SIEM) integration so that you
>For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
3. Choose the SIEM type you use in your organization. 3. Choose the SIEM type you use in your organization.
>[!NOTE]
>If you select HP ArcSight, you'll need to save these two configuration files:
> - WDATP-connector.jsonparser.properties
> - WDATP-connector.properties
4. Copy the individual values or select **Save details to file** to download a file that contains all the values. 4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
5. Select **Generate tokens** to get an access and refresh token. 5. Select **Generate tokens** to get an access and refresh token.
You can now proceed with configuring your SIEM solution. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. You can now proceed with configuring your SIEM solution. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
## Related topics
- [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- Configure generic API

BIN
windows/keep-secure/images/atp-siem-integration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 225 KiB